1 /*-
2 * Copyright (c) 2016-2017 Yandex LLC
3 * Copyright (c) 2016-2017 Andrey V. Elsukov <ae@FreeBSD.org>
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include <sys/param.h>
28 #include <sys/systm.h>
29 #include <sys/malloc.h>
30 #include <sys/kernel.h>
31 #include <sys/hash.h>
32 #include <sys/lock.h>
33 #include <sys/rwlock.h>
34 #include <sys/rmlock.h>
35 #include <sys/socket.h>
36 #include <sys/socketvar.h>
37 #include <sys/queue.h>
38
39 #include <net/if.h> /* ip_fw.h requires IFNAMSIZ */
40 #include <net/pfil.h>
41 #include <netinet/in.h>
42 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */
43 #include <netinet/ip_fw.h>
44
45 #include <netpfil/ipfw/ip_fw_private.h>
46
47 #include "opt_ipfw.h"
48
49 /*
50 * External actions support for ipfw.
51 *
52 * This code provides KPI for implementing loadable modules, that
53 * can provide handlers for external action opcodes in the ipfw's
54 * rules.
55 * Module should implement opcode handler with type ipfw_eaction_t.
56 * This handler will be called by ipfw_chk() function when
57 * O_EXTERNAL_ACTION opcode is matched. The handler must return
58 * value used as return value in ipfw_chk(), i.e. IP_FW_PASS,
59 * IP_FW_DENY (see ip_fw_private.h).
60 * Also the last argument must be set by handler. If it is zero,
61 * the search continues to the next rule. If it has non zero value,
62 * the search terminates.
63 *
64 * The module that implements external action should register its
65 * handler and name with ipfw_add_eaction() function.
66 * This function will return eaction_id, that can be used by module.
67 *
68 * It is possible to pass some additional information to external
69 * action handler using O_EXTERNAL_INSTANCE and O_EXTERNAL_DATA opcodes.
70 * Such opcodes should be next after the O_EXTERNAL_ACTION opcode.
71 * For the O_EXTERNAL_INSTANCE opcode the cmd->arg1 contains index of named
72 * object related to an instance of external action.
73 * For the O_EXTERNAL_DATA opcode the cmd contains the data that can be used
74 * by external action handler without needing to create named instance.
75 *
76 * In case when eaction module uses named instances, it should register
77 * opcode rewriting routines for O_EXTERNAL_INSTANCE opcode. The
78 * classifier callback can look back into O_EXTERNAL_ACTION opcode (it
79 * must be in the (ipfw_insn *)(cmd - 1)). By arg1 from O_EXTERNAL_ACTION
80 * it can deteremine eaction_id and compare it with its own.
81 * The macro IPFW_TLV_EACTION_NAME(eaction_id) can be used to deteremine
82 * the type of named_object related to external action instance.
83 *
84 * On module unload handler should be deregistered with ipfw_del_eaction()
85 * function using known eaction_id.
86 */
87
88 struct eaction_obj {
89 struct named_object no;
90 ipfw_eaction_t *handler;
91 char name[64];
92 };
93
94 #define EACTION_OBJ(ch, cmd) \
95 ((struct eaction_obj *)SRV_OBJECT((ch), (cmd)->arg1))
96
97 #if 0
98 #define EACTION_DEBUG(fmt, ...) do { \
99 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \
100 } while (0)
101 #else
102 #define EACTION_DEBUG(fmt, ...)
103 #endif
104
105 const char *default_eaction_typename = "drop";
106 static int
default_eaction(struct ip_fw_chain * ch,struct ip_fw_args * args,ipfw_insn * cmd,int * done)107 default_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
108 ipfw_insn *cmd, int *done)
109 {
110
111 *done = 1; /* terminate the search */
112 return (IP_FW_DENY);
113 }
114
115 /*
116 * Opcode rewriting callbacks.
117 */
118 static int
eaction_classify(ipfw_insn * cmd,uint16_t * puidx,uint8_t * ptype)119 eaction_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
120 {
121
122 EACTION_DEBUG("opcode %d, arg1 %d", cmd->opcode, cmd->arg1);
123 *puidx = cmd->arg1;
124 *ptype = 0;
125 return (0);
126 }
127
128 static void
eaction_update(ipfw_insn * cmd,uint16_t idx)129 eaction_update(ipfw_insn *cmd, uint16_t idx)
130 {
131
132 cmd->arg1 = idx;
133 EACTION_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1);
134 }
135
136 static int
eaction_findbyname(struct ip_fw_chain * ch,struct tid_info * ti,struct named_object ** pno)137 eaction_findbyname(struct ip_fw_chain *ch, struct tid_info *ti,
138 struct named_object **pno)
139 {
140 ipfw_obj_ntlv *ntlv;
141
142 if (ti->tlvs == NULL)
143 return (EINVAL);
144
145 /* Search ntlv in the buffer provided by user */
146 ntlv = ipfw_find_name_tlv_type(ti->tlvs, ti->tlen, ti->uidx,
147 IPFW_TLV_EACTION);
148 if (ntlv == NULL)
149 return (EINVAL);
150 EACTION_DEBUG("name %s, uidx %u, type %u", ntlv->name,
151 ti->uidx, ti->type);
152 /*
153 * Search named object with corresponding name.
154 * Since eaction objects are global - ignore the set value
155 * and use zero instead.
156 */
157 *pno = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch),
158 0, IPFW_TLV_EACTION, ntlv->name);
159 if (*pno == NULL)
160 return (ESRCH);
161 return (0);
162 }
163
164 static struct named_object *
eaction_findbykidx(struct ip_fw_chain * ch,uint16_t idx)165 eaction_findbykidx(struct ip_fw_chain *ch, uint16_t idx)
166 {
167
168 EACTION_DEBUG("kidx %u", idx);
169 return (ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), idx));
170 }
171
172 static struct opcode_obj_rewrite eaction_opcodes[] = {
173 {
174 .opcode = O_EXTERNAL_ACTION,
175 .etlv = IPFW_TLV_EACTION,
176 .classifier = eaction_classify,
177 .update = eaction_update,
178 .find_byname = eaction_findbyname,
179 .find_bykidx = eaction_findbykidx,
180 },
181 };
182
183 static int
create_eaction_obj(struct ip_fw_chain * ch,ipfw_eaction_t handler,const char * name,uint16_t * eaction_id)184 create_eaction_obj(struct ip_fw_chain *ch, ipfw_eaction_t handler,
185 const char *name, uint16_t *eaction_id)
186 {
187 struct namedobj_instance *ni;
188 struct eaction_obj *obj;
189
190 IPFW_UH_UNLOCK_ASSERT(ch);
191
192 ni = CHAIN_TO_SRV(ch);
193 obj = malloc(sizeof(*obj), M_IPFW, M_WAITOK | M_ZERO);
194 obj->no.name = obj->name;
195 obj->no.etlv = IPFW_TLV_EACTION;
196 obj->handler = handler;
197 strlcpy(obj->name, name, sizeof(obj->name));
198
199 IPFW_UH_WLOCK(ch);
200 if (ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
201 name) != NULL) {
202 /*
203 * Object is already created.
204 * We don't allow eactions with the same name.
205 */
206 IPFW_UH_WUNLOCK(ch);
207 free(obj, M_IPFW);
208 EACTION_DEBUG("External action with typename "
209 "'%s' already exists", name);
210 return (EEXIST);
211 }
212 if (ipfw_objhash_alloc_idx(ni, &obj->no.kidx) != 0) {
213 IPFW_UH_WUNLOCK(ch);
214 free(obj, M_IPFW);
215 EACTION_DEBUG("alloc_idx failed");
216 return (ENOSPC);
217 }
218 ipfw_objhash_add(ni, &obj->no);
219 IPFW_WLOCK(ch);
220 SRV_OBJECT(ch, obj->no.kidx) = obj;
221 IPFW_WUNLOCK(ch);
222 obj->no.refcnt++;
223 IPFW_UH_WUNLOCK(ch);
224
225 if (eaction_id != NULL)
226 *eaction_id = obj->no.kidx;
227 return (0);
228 }
229
230 static void
destroy_eaction_obj(struct ip_fw_chain * ch,struct named_object * no)231 destroy_eaction_obj(struct ip_fw_chain *ch, struct named_object *no)
232 {
233 struct namedobj_instance *ni;
234 struct eaction_obj *obj;
235
236 IPFW_UH_WLOCK_ASSERT(ch);
237
238 ni = CHAIN_TO_SRV(ch);
239 IPFW_WLOCK(ch);
240 obj = SRV_OBJECT(ch, no->kidx);
241 SRV_OBJECT(ch, no->kidx) = NULL;
242 IPFW_WUNLOCK(ch);
243 ipfw_objhash_del(ni, no);
244 ipfw_objhash_free_idx(ni, no->kidx);
245 free(obj, M_IPFW);
246 }
247
248 /*
249 * Resets all eaction opcodes to default handlers.
250 */
251 static void
reset_eaction_rules(struct ip_fw_chain * ch,uint16_t eaction_id,uint16_t instance_id,bool reset_rules)252 reset_eaction_rules(struct ip_fw_chain *ch, uint16_t eaction_id,
253 uint16_t instance_id, bool reset_rules)
254 {
255 struct named_object *no;
256 int i;
257
258 IPFW_UH_WLOCK_ASSERT(ch);
259
260 no = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 0,
261 IPFW_TLV_EACTION, default_eaction_typename);
262 if (no == NULL)
263 panic("Default external action handler is not found");
264 if (eaction_id == no->kidx)
265 panic("Wrong eaction_id");
266
267 EACTION_DEBUG("Going to replace id %u with %u", eaction_id, no->kidx);
268 IPFW_WLOCK(ch);
269 /*
270 * Reset eaction objects only if it is referenced by rules.
271 * But always reset objects for orphaned dynamic states.
272 */
273 if (reset_rules) {
274 for (i = 0; i < ch->n_rules; i++) {
275 /*
276 * Refcount on the original object will be just
277 * ignored on destroy. Refcount on default_eaction
278 * will be decremented on rule deletion, thus we
279 * need to reference default_eaction object.
280 */
281 if (ipfw_reset_eaction(ch, ch->map[i], eaction_id,
282 no->kidx, instance_id) != 0)
283 no->refcnt++;
284 }
285 }
286 /*
287 * Reset eaction opcodes for orphaned dynamic states.
288 * Since parent rules are already deleted, we don't need to
289 * reference named object of default_eaction.
290 */
291 ipfw_dyn_reset_eaction(ch, eaction_id, no->kidx, instance_id);
292 IPFW_WUNLOCK(ch);
293 }
294
295 /*
296 * Initialize external actions framework.
297 * Create object with default eaction handler "drop".
298 */
299 int
ipfw_eaction_init(struct ip_fw_chain * ch,int first)300 ipfw_eaction_init(struct ip_fw_chain *ch, int first)
301 {
302 int error;
303
304 error = create_eaction_obj(ch, default_eaction,
305 default_eaction_typename, NULL);
306 if (error != 0)
307 return (error);
308 IPFW_ADD_OBJ_REWRITER(first, eaction_opcodes);
309 EACTION_DEBUG("External actions support initialized");
310 return (0);
311 }
312
313 void
ipfw_eaction_uninit(struct ip_fw_chain * ch,int last)314 ipfw_eaction_uninit(struct ip_fw_chain *ch, int last)
315 {
316 struct namedobj_instance *ni;
317 struct named_object *no;
318
319 ni = CHAIN_TO_SRV(ch);
320
321 IPFW_UH_WLOCK(ch);
322 no = ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
323 default_eaction_typename);
324 if (no != NULL)
325 destroy_eaction_obj(ch, no);
326 IPFW_UH_WUNLOCK(ch);
327 IPFW_DEL_OBJ_REWRITER(last, eaction_opcodes);
328 EACTION_DEBUG("External actions support uninitialized");
329 }
330
331 /*
332 * Registers external action handler to the global array.
333 * On success it returns eaction id, otherwise - zero.
334 */
335 uint16_t
ipfw_add_eaction(struct ip_fw_chain * ch,ipfw_eaction_t handler,const char * name)336 ipfw_add_eaction(struct ip_fw_chain *ch, ipfw_eaction_t handler,
337 const char *name)
338 {
339 uint16_t eaction_id;
340
341 eaction_id = 0;
342 if (ipfw_check_object_name_generic(name) == 0) {
343 create_eaction_obj(ch, handler, name, &eaction_id);
344 EACTION_DEBUG("Registered external action '%s' with id %u",
345 name, eaction_id);
346 }
347 return (eaction_id);
348 }
349
350 /*
351 * Deregisters external action handler with id eaction_id.
352 */
353 int
ipfw_del_eaction(struct ip_fw_chain * ch,uint16_t eaction_id)354 ipfw_del_eaction(struct ip_fw_chain *ch, uint16_t eaction_id)
355 {
356 struct named_object *no;
357
358 IPFW_UH_WLOCK(ch);
359 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id);
360 if (no == NULL || no->etlv != IPFW_TLV_EACTION) {
361 IPFW_UH_WUNLOCK(ch);
362 return (EINVAL);
363 }
364 reset_eaction_rules(ch, eaction_id, 0, (no->refcnt > 1));
365 EACTION_DEBUG("External action '%s' with id %u unregistered",
366 no->name, eaction_id);
367 destroy_eaction_obj(ch, no);
368 IPFW_UH_WUNLOCK(ch);
369 return (0);
370 }
371
372 int
ipfw_reset_eaction(struct ip_fw_chain * ch,struct ip_fw * rule,uint16_t eaction_id,uint16_t default_id,uint16_t instance_id)373 ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_fw *rule,
374 uint16_t eaction_id, uint16_t default_id, uint16_t instance_id)
375 {
376 ipfw_insn *cmd, *icmd;
377 int l;
378
379 IPFW_UH_WLOCK_ASSERT(ch);
380 IPFW_WLOCK_ASSERT(ch);
381
382 /*
383 * Return if there is not O_EXTERNAL_ACTION or its id is
384 * different.
385 */
386 cmd = ipfw_get_action(rule);
387 if (cmd->opcode != O_EXTERNAL_ACTION ||
388 cmd->arg1 != eaction_id)
389 return (0);
390 /*
391 * Check if there is O_EXTERNAL_INSTANCE opcode, we need
392 * to truncate the rule length.
393 *
394 * NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode,
395 * and rule length should be enough to keep O_EXTERNAL_INSTANCE
396 * opcode, thus we do check for l > 1.
397 */
398 l = rule->cmd + rule->cmd_len - cmd;
399 if (l > 1) {
400 MPASS(F_LEN(cmd) == 1);
401 icmd = cmd + 1;
402 if (icmd->opcode == O_EXTERNAL_INSTANCE &&
403 instance_id != 0 && icmd->arg1 != instance_id)
404 return (0);
405 /*
406 * Since named_object related to this instance will be
407 * destroyed, truncate the chain of opcodes to remove
408 * the rest of cmd chain just after O_EXTERNAL_ACTION
409 * opcode.
410 */
411 EACTION_DEBUG("truncate rule %d: len %u -> %u",
412 rule->rulenum, rule->cmd_len,
413 rule->cmd_len - F_LEN(icmd));
414 rule->cmd_len -= F_LEN(icmd);
415 MPASS(((uint32_t *)icmd -
416 (uint32_t *)rule->cmd) == rule->cmd_len);
417 }
418
419 cmd->arg1 = default_id; /* Set to default id */
420 /*
421 * Return 1 when reset successfully happened.
422 */
423 return (1);
424 }
425
426 /*
427 * This function should be called before external action instance is
428 * destroyed. It will reset eaction_id to default_id for rules, where
429 * eaction has instance with id == kidx.
430 */
431 int
ipfw_reset_eaction_instance(struct ip_fw_chain * ch,uint16_t eaction_id,uint16_t kidx)432 ipfw_reset_eaction_instance(struct ip_fw_chain *ch, uint16_t eaction_id,
433 uint16_t kidx)
434 {
435 struct named_object *no;
436
437 IPFW_UH_WLOCK_ASSERT(ch);
438 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id);
439 if (no == NULL || no->etlv != IPFW_TLV_EACTION)
440 return (EINVAL);
441
442 reset_eaction_rules(ch, eaction_id, kidx, 0);
443 return (0);
444 }
445
446 int
ipfw_run_eaction(struct ip_fw_chain * ch,struct ip_fw_args * args,ipfw_insn * cmd,int * done)447 ipfw_run_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
448 ipfw_insn *cmd, int *done)
449 {
450
451 return (EACTION_OBJ(ch, cmd)->handler(ch, args, cmd, done));
452 }
453