/*- * SPDX-License-Identifier: BSD-2-Clause * * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org> * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "opt_inet.h" #include "opt_inet6.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/mbuf.h> #include <sys/malloc.h> #include <sys/ctype.h> #include <sys/errno.h> #include <sys/rwlock.h> #include <sys/socket.h> #include <sys/syslog.h> #include <net/if.h> #include <net/if_var.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/in_var.h> #include <netinet/ip_var.h> #include <netinet/ip_fw.h> #include <netinet/ip.h> #include <netinet/ip6.h> #include <netinet6/ip6_var.h> #include <netpfil/ipfw/ip_fw_private.h> #include <netgraph/ng_message.h> #include <netgraph/ng_parse.h> #include <netgraph/ng_ipfw.h> #include <netgraph/netgraph.h> static int ng_ipfw_mod_event(module_t mod, int event, void *data); static ng_constructor_t ng_ipfw_constructor; static ng_shutdown_t ng_ipfw_shutdown; static ng_newhook_t ng_ipfw_newhook; static ng_connect_t ng_ipfw_connect; static ng_findhook_t ng_ipfw_findhook; static ng_rcvdata_t ng_ipfw_rcvdata; static ng_disconnect_t ng_ipfw_disconnect; static hook_p ng_ipfw_findhook1(node_p, u_int16_t ); static int ng_ipfw_input(struct mbuf **, struct ip_fw_args *, bool); /* We have only one node */ static node_p fw_node; /* Netgraph node type descriptor */ static struct ng_type ng_ipfw_typestruct = { .version = NG_ABI_VERSION, .name = NG_IPFW_NODE_TYPE, .mod_event = ng_ipfw_mod_event, .constructor = ng_ipfw_constructor, .shutdown = ng_ipfw_shutdown, .newhook = ng_ipfw_newhook, .connect = ng_ipfw_connect, .findhook = ng_ipfw_findhook, .rcvdata = ng_ipfw_rcvdata, .disconnect = ng_ipfw_disconnect, }; NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct); MODULE_DEPEND(ng_ipfw, ipfw, 3, 3, 3); /* Information we store for each hook */ struct ng_ipfw_hook_priv { hook_p hook; u_int16_t rulenum; }; typedef struct ng_ipfw_hook_priv *hpriv_p; static int ng_ipfw_mod_event(module_t mod, int event, void *data) { int error = 0; switch (event) { case MOD_LOAD: if (ng_ipfw_input_p != NULL) { error = EEXIST; break; } /* Setup node without any private data */ if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node)) != 0) { log(LOG_ERR, "%s: can't create ng_ipfw node", __func__); break; } /* Try to name node */ if (ng_name_node(fw_node, "ipfw") != 0) log(LOG_WARNING, "%s: failed to name node \"ipfw\"", __func__); /* Register hook */ ng_ipfw_input_p = ng_ipfw_input; break; case MOD_UNLOAD: /* * This won't happen if a node exists. * ng_ipfw_input_p is already cleared. */ break; default: error = EOPNOTSUPP; break; } return (error); } static int ng_ipfw_constructor(node_p node) { return (EINVAL); /* Only one node */ } static int ng_ipfw_newhook(node_p node, hook_p hook, const char *name) { hpriv_p hpriv; u_int16_t rulenum; const char *cp; char *endptr; /* Protect from leading zero */ if (name[0] == '0' && name[1] != '\0') return (EINVAL); /* Check that name contains only digits */ for (cp = name; *cp != '\0'; cp++) if (!isdigit(*cp)) return (EINVAL); /* Convert it to integer */ rulenum = (u_int16_t)strtol(name, &endptr, 10); if (*endptr != '\0') return (EINVAL); /* Allocate memory for this hook's private data */ hpriv = malloc(sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO); if (hpriv== NULL) return (ENOMEM); hpriv->hook = hook; hpriv->rulenum = rulenum; NG_HOOK_SET_PRIVATE(hook, hpriv); return(0); } /* * Set hooks into queueing mode, to avoid recursion between * netgraph layer and ip_{input,output}. */ static int ng_ipfw_connect(hook_p hook) { NG_HOOK_FORCE_QUEUE(hook); return (0); } /* Look up hook by name */ static hook_p ng_ipfw_findhook(node_p node, const char *name) { u_int16_t n; /* numeric representation of hook */ char *endptr; n = (u_int16_t)strtol(name, &endptr, 10); if (*endptr != '\0') return NULL; return ng_ipfw_findhook1(node, n); } /* Look up hook by rule number */ static hook_p ng_ipfw_findhook1(node_p node, u_int16_t rulenum) { hook_p hook; hpriv_p hpriv; LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) { hpriv = NG_HOOK_PRIVATE(hook); if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum)) return (hook); } return (NULL); } static int ng_ipfw_rcvdata(hook_p hook, item_p item) { struct m_tag *tag; struct ipfw_rule_ref *r; struct mbuf *m; struct ip *ip; NGI_GET_M(item, m); NG_FREE_ITEM(item); tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL); if (tag == NULL) { NG_FREE_M(m); return (EINVAL); /* XXX: find smth better */ } if (m->m_len < sizeof(struct ip) && (m = m_pullup(m, sizeof(struct ip))) == NULL) return (ENOBUFS); ip = mtod(m, struct ip *); r = (struct ipfw_rule_ref *)(tag + 1); if (r->info & IPFW_INFO_IN) { switch (ip->ip_v) { #ifdef INET case IPVERSION: ip_input(m); return (0); #endif #ifdef INET6 case IPV6_VERSION >> 4: ip6_input(m); return (0); #endif } } else { switch (ip->ip_v) { #ifdef INET case IPVERSION: return (ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL)); #endif #ifdef INET6 case IPV6_VERSION >> 4: return (ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL)); #endif } } /* unknown IP protocol version */ NG_FREE_M(m); return (EPROTONOSUPPORT); } static int ng_ipfw_input(struct mbuf **m0, struct ip_fw_args *fwa, bool tee) { struct mbuf *m; hook_p hook; int error = 0; /* * Node must be loaded and corresponding hook must be present. */ if (fw_node == NULL || (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) return (ESRCH); /* no hook associated with this rule */ /* * We have two modes: in normal mode we add a tag to packet, which is * important to return packet back to IP stack. In tee mode we make * a copy of a packet and forward it into netgraph without a tag. */ if (tee == false) { struct m_tag *tag; struct ipfw_rule_ref *r; m = *m0; *m0 = NULL; /* it belongs now to netgraph */ tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r), M_NOWAIT|M_ZERO); if (tag == NULL) { m_freem(m); return (ENOMEM); } r = (struct ipfw_rule_ref *)(tag + 1); *r = fwa->rule; r->info &= IPFW_ONEPASS; /* keep this info */ r->info |= (fwa->flags & IPFW_ARGS_IN) ? IPFW_INFO_IN : IPFW_INFO_OUT; m_tag_prepend(m, tag); } else if ((m = m_dup(*m0, M_NOWAIT)) == NULL) return (ENOMEM); /* which is ignored */ if (m->m_len < sizeof(struct ip) && (m = m_pullup(m, sizeof(struct ip))) == NULL) return (EINVAL); NG_SEND_DATA_ONLY(error, hook, m); return (error); } static int ng_ipfw_shutdown(node_p node) { /* * After our single node has been removed, * the only thing that can be done is * 'kldunload ng_ipfw.ko' */ ng_ipfw_input_p = NULL; NG_NODE_UNREF(node); return (0); } static int ng_ipfw_disconnect(hook_p hook) { const hpriv_p hpriv = NG_HOOK_PRIVATE(hook); free(hpriv, M_NETGRAPH); NG_HOOK_SET_PRIVATE(hook, NULL); return (0); }