1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
35 *
36 * $OpenBSD: pf_ruleset.c,v 1.2 2008/12/18 15:31:37 dhill Exp $
37 */
38
39 #include <sys/param.h>
40 #include <sys/socket.h>
41 #include <sys/mbuf.h>
42
43 #include <netinet/in.h>
44 #include <netinet/in_systm.h>
45 #include <netinet/ip.h>
46 #include <netinet/tcp.h>
47
48 #include <net/if.h>
49 #include <net/vnet.h>
50 #include <net/pfvar.h>
51
52 #ifdef INET6
53 #include <netinet/ip6.h>
54 #endif /* INET6 */
55
56 #include <arpa/inet.h>
57 #include <errno.h>
58 #include <stdio.h>
59 #include <stdlib.h>
60 #include <string.h>
61 #define rs_malloc(x) calloc(1, x)
62 #define rs_free(x) free(x)
63
64 #include "pfctl.h"
65 #include "pfctl_parser.h"
66
67 #ifdef PFDEBUG
68 #include <sys/stdarg.h>
69 #define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
70 #else
71 #define DPFPRINTF(format, x...) ((void)0)
72 #endif /* PFDEBUG */
73
74 struct pfctl_anchor_global pf_anchors;
75 extern struct pfctl_anchor pf_main_anchor;
76 extern struct pfctl_eth_anchor pf_eth_main_anchor;
77 #undef V_pf_anchors
78 #define V_pf_anchors pf_anchors
79 #undef pf_main_ruleset
80 #define pf_main_ruleset pf_main_anchor.ruleset
81
82 static __inline int pf_anchor_compare(struct pfctl_anchor *,
83 struct pfctl_anchor *);
84 static struct pfctl_anchor *pf_find_anchor(const char *);
85
86 RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global,
87 pf_anchor_compare);
88 RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare);
89
90 static __inline int
pf_anchor_compare(struct pfctl_anchor * a,struct pfctl_anchor * b)91 pf_anchor_compare(struct pfctl_anchor *a, struct pfctl_anchor *b)
92 {
93 int c = strcmp(a->path, b->path);
94
95 return (c ? (c < 0 ? -1 : 1) : 0);
96 }
97
98 int
pf_get_ruleset_number(u_int8_t action)99 pf_get_ruleset_number(u_int8_t action)
100 {
101 switch (action) {
102 case PF_SCRUB:
103 case PF_NOSCRUB:
104 return (PF_RULESET_SCRUB);
105 break;
106 case PF_PASS:
107 case PF_DROP:
108 case PF_MATCH:
109 return (PF_RULESET_FILTER);
110 break;
111 case PF_NAT:
112 case PF_NONAT:
113 return (PF_RULESET_NAT);
114 break;
115 case PF_BINAT:
116 case PF_NOBINAT:
117 return (PF_RULESET_BINAT);
118 break;
119 case PF_RDR:
120 case PF_NORDR:
121 return (PF_RULESET_RDR);
122 break;
123 default:
124 return (PF_RULESET_MAX);
125 break;
126 }
127 }
128
129 void
pf_init_ruleset(struct pfctl_ruleset * ruleset)130 pf_init_ruleset(struct pfctl_ruleset *ruleset)
131 {
132 int i;
133
134 memset(ruleset, 0, sizeof(struct pfctl_ruleset));
135 for (i = 0; i < PF_RULESET_MAX; i++) {
136 TAILQ_INIT(&ruleset->rules[i].queues[0]);
137 TAILQ_INIT(&ruleset->rules[i].queues[1]);
138 ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
139 ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
140 }
141 }
142
143 static struct pfctl_anchor *
pf_find_anchor(const char * path)144 pf_find_anchor(const char *path)
145 {
146 struct pfctl_anchor *key, *found;
147
148 key = (struct pfctl_anchor *)rs_malloc(sizeof(*key));
149 if (key == NULL)
150 return (NULL);
151 strlcpy(key->path, path, sizeof(key->path));
152 found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key);
153 rs_free(key);
154 return (found);
155 }
156
157 struct pfctl_ruleset *
pf_find_ruleset(const char * path)158 pf_find_ruleset(const char *path)
159 {
160 struct pfctl_anchor *anchor;
161
162 while (*path == '/')
163 path++;
164 if (!*path)
165 return (&pf_main_ruleset);
166 anchor = pf_find_anchor(path);
167 if (anchor == NULL)
168 return (NULL);
169 else
170 return (&anchor->ruleset);
171 }
172
173 struct pfctl_ruleset *
pf_find_or_create_ruleset(const char * path)174 pf_find_or_create_ruleset(const char *path)
175 {
176 char *p, *q, *r;
177 struct pfctl_ruleset *ruleset;
178 struct pfctl_anchor *anchor = NULL, *dup, *parent = NULL;
179
180 if (path[0] == 0)
181 return (&pf_main_ruleset);
182 while (*path == '/')
183 path++;
184 ruleset = pf_find_ruleset(path);
185 if (ruleset != NULL)
186 return (ruleset);
187 p = (char *)rs_malloc(MAXPATHLEN);
188 if (p == NULL)
189 return (NULL);
190 strlcpy(p, path, MAXPATHLEN);
191 while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
192 *q = 0;
193 if ((ruleset = pf_find_ruleset(p)) != NULL) {
194 parent = ruleset->anchor;
195 break;
196 }
197 }
198 if (q == NULL)
199 q = p;
200 else
201 q++;
202 strlcpy(p, path, MAXPATHLEN);
203 if (!*q) {
204 rs_free(p);
205 return (NULL);
206 }
207 while ((r = strchr(q, '/')) != NULL || *q) {
208 if (r != NULL)
209 *r = 0;
210 if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
211 (parent != NULL && strlen(parent->path) >=
212 MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) {
213 rs_free(p);
214 return (NULL);
215 }
216 anchor = (struct pfctl_anchor *)rs_malloc(sizeof(*anchor));
217 if (anchor == NULL) {
218 rs_free(p);
219 return (NULL);
220 }
221 RB_INIT(&anchor->children);
222 strlcpy(anchor->name, q, sizeof(anchor->name));
223 if (parent != NULL) {
224 strlcpy(anchor->path, parent->path,
225 sizeof(anchor->path));
226 strlcat(anchor->path, "/", sizeof(anchor->path));
227 }
228 strlcat(anchor->path, anchor->name, sizeof(anchor->path));
229 if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) !=
230 NULL) {
231 printf("pf_find_or_create_ruleset: RB_INSERT1 "
232 "'%s' '%s' collides with '%s' '%s'\n",
233 anchor->path, anchor->name, dup->path, dup->name);
234 rs_free(anchor);
235 rs_free(p);
236 return (NULL);
237 }
238 if (parent != NULL) {
239 anchor->parent = parent;
240 if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children,
241 anchor)) != NULL) {
242 printf("pf_find_or_create_ruleset: "
243 "RB_INSERT2 '%s' '%s' collides with "
244 "'%s' '%s'\n", anchor->path, anchor->name,
245 dup->path, dup->name);
246 RB_REMOVE(pfctl_anchor_global, &V_pf_anchors,
247 anchor);
248 rs_free(anchor);
249 rs_free(p);
250 return (NULL);
251 }
252 }
253 pf_init_ruleset(&anchor->ruleset);
254 anchor->ruleset.anchor = anchor;
255 parent = anchor;
256 if (r != NULL)
257 q = r + 1;
258 else
259 *q = 0;
260 }
261 rs_free(p);
262 return (&anchor->ruleset);
263 }
264
265 void
pf_remove_if_empty_ruleset(struct pfctl_ruleset * ruleset)266 pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset)
267 {
268 struct pfctl_anchor *parent;
269 int i;
270
271 while (ruleset != NULL) {
272 if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
273 !RB_EMPTY(&ruleset->anchor->children) ||
274 ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
275 ruleset->topen)
276 return;
277 for (i = 0; i < PF_RULESET_MAX; ++i)
278 if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
279 !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
280 ruleset->rules[i].inactive.open)
281 return;
282 RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor);
283 if ((parent = ruleset->anchor->parent) != NULL)
284 RB_REMOVE(pfctl_anchor_node, &parent->children,
285 ruleset->anchor);
286 rs_free(ruleset->anchor);
287 if (parent == NULL)
288 return;
289 ruleset = &parent->ruleset;
290 }
291 }
292
293 void
pf_remove_if_empty_eth_ruleset(struct pfctl_eth_ruleset * ruleset)294 pf_remove_if_empty_eth_ruleset(struct pfctl_eth_ruleset *ruleset)
295 {
296 struct pfctl_eth_anchor *parent;
297
298 return;
299 while (ruleset != NULL) {
300 if (ruleset == &pf_eth_main_anchor.ruleset ||
301 ruleset->anchor == NULL || ruleset->anchor->refcnt > 0)
302 return;
303 if (!TAILQ_EMPTY(&ruleset->rules))
304 return;
305 rs_free(ruleset->anchor);
306 if (parent == NULL)
307 return;
308 ruleset = &parent->ruleset;
309 }
310 }
311
312 void
pf_init_eth_ruleset(struct pfctl_eth_ruleset * ruleset)313 pf_init_eth_ruleset(struct pfctl_eth_ruleset *ruleset)
314 {
315
316 memset(ruleset, 0, sizeof(*ruleset));
317 TAILQ_INIT(&ruleset->rules);
318 }
319
320
321 static struct pfctl_eth_anchor*
_pf_find_eth_anchor(struct pfctl_eth_anchor * anchor,const char * path)322 _pf_find_eth_anchor(struct pfctl_eth_anchor *anchor, const char *path)
323 {
324 struct pfctl_eth_rule *r;
325 struct pfctl_eth_anchor *a;
326
327 if (strcmp(path, anchor->path) == 0)
328 return (anchor);
329
330 TAILQ_FOREACH(r, &anchor->ruleset.rules, entries) {
331 if (! r->anchor)
332 continue;
333
334 /* Step into anchor */
335 a = _pf_find_eth_anchor(r->anchor, path);
336 if (a)
337 return (a);
338 }
339
340 return (NULL);
341 }
342
343 static struct pfctl_eth_anchor*
pf_find_eth_anchor(const char * path)344 pf_find_eth_anchor(const char *path)
345 {
346 return (_pf_find_eth_anchor(&pf_eth_main_anchor, path));
347 }
348
349 static struct pfctl_eth_ruleset*
pf_find_eth_ruleset(const char * path)350 pf_find_eth_ruleset(const char *path)
351 {
352 struct pfctl_eth_anchor *anchor;
353
354 while (*path == '/')
355 path++;
356 if (!*path)
357 return (&pf_eth_main_anchor.ruleset);
358 anchor = pf_find_eth_anchor(path);
359 if (anchor == NULL)
360 return (NULL);
361 else
362 return (&anchor->ruleset);
363 }
364
365 struct pfctl_eth_ruleset *
pf_find_or_create_eth_ruleset(const char * path)366 pf_find_or_create_eth_ruleset(const char *path)
367 {
368 char *p, *q, *r;
369 struct pfctl_eth_ruleset *ruleset;
370 struct pfctl_eth_anchor *anchor = NULL, *parent = NULL;
371
372 if (path[0] == 0)
373 return (&pf_eth_main_anchor.ruleset);
374 while (*path == '/')
375 path++;
376 ruleset = pf_find_eth_ruleset(path);
377 if (ruleset != NULL)
378 return (ruleset);
379 p = (char *)rs_malloc(MAXPATHLEN);
380 if (p == NULL)
381 return (NULL);
382 strlcpy(p, path, MAXPATHLEN);
383 while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
384 *q = 0;
385 if ((ruleset = pf_find_eth_ruleset(p)) != NULL) {
386 parent = ruleset->anchor;
387 break;
388 }
389 }
390 if (q == NULL)
391 q = p;
392 else
393 q++;
394 strlcpy(p, path, MAXPATHLEN);
395 if (!*q) {
396 rs_free(p);
397 return (NULL);
398 }
399 while ((r = strchr(q, '/')) != NULL || *q) {
400 if (r != NULL)
401 *r = 0;
402 if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
403 (parent != NULL && strlen(parent->path) >=
404 MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) {
405 rs_free(p);
406 return (NULL);
407 }
408 anchor = (struct pfctl_eth_anchor *)rs_malloc(sizeof(*anchor));
409 if (anchor == NULL) {
410 rs_free(p);
411 return (NULL);
412 }
413 strlcpy(anchor->name, q, sizeof(anchor->name));
414 if (parent != NULL) {
415 strlcpy(anchor->path, parent->path,
416 sizeof(anchor->path));
417 strlcat(anchor->path, "/", sizeof(anchor->path));
418 }
419 strlcat(anchor->path, anchor->name, sizeof(anchor->path));
420 if (parent != NULL)
421 anchor->parent = parent;
422 pf_init_eth_ruleset(&anchor->ruleset);
423 anchor->ruleset.anchor = anchor;
424 parent = anchor;
425 if (r != NULL)
426 q = r + 1;
427 else
428 *q = 0;
429 }
430 rs_free(p);
431 return (&anchor->ruleset);
432 }
433
434 int
pfctl_anchor_setup(struct pfctl_rule * r,const struct pfctl_ruleset * s,const char * name)435 pfctl_anchor_setup(struct pfctl_rule *r, const struct pfctl_ruleset *s,
436 const char *name)
437 {
438 char *p, *path;
439 struct pfctl_ruleset *ruleset;
440
441 r->anchor = NULL;
442 r->anchor_relative = 0;
443 r->anchor_wildcard = 0;
444 if (!name[0])
445 return (0);
446 path = (char *)rs_malloc(MAXPATHLEN);
447 if (path == NULL)
448 return (1);
449 if (name[0] == '/')
450 strlcpy(path, name + 1, MAXPATHLEN);
451 else {
452 /* relative path */
453 r->anchor_relative = 1;
454 if (s->anchor == NULL || !s->anchor->path[0])
455 path[0] = 0;
456 else
457 strlcpy(path, s->anchor->path, MAXPATHLEN);
458 while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
459 if (!path[0]) {
460 printf("pfctl_anchor_setup: .. beyond root\n");
461 rs_free(path);
462 return (1);
463 }
464 if ((p = strrchr(path, '/')) != NULL)
465 *p = 0;
466 else
467 path[0] = 0;
468 r->anchor_relative++;
469 name += 3;
470 }
471 if (path[0])
472 strlcat(path, "/", MAXPATHLEN);
473 strlcat(path, name, MAXPATHLEN);
474 }
475 if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
476 r->anchor_wildcard = 1;
477 *p = 0;
478 }
479 ruleset = pf_find_or_create_ruleset(path);
480 rs_free(path);
481 if (ruleset == NULL || ruleset->anchor == NULL) {
482 printf("pfctl_anchor_setup: ruleset\n");
483 return (1);
484 }
485 r->anchor = ruleset->anchor;
486 r->anchor->refcnt++;
487 return (0);
488 }
489
490 int
pfctl_eth_anchor_setup(struct pfctl * pf,struct pfctl_eth_rule * r,const struct pfctl_eth_ruleset * s,const char * name)491 pfctl_eth_anchor_setup(struct pfctl *pf, struct pfctl_eth_rule *r,
492 const struct pfctl_eth_ruleset *s, const char *name)
493 {
494 char *p, *path;
495 struct pfctl_eth_ruleset *ruleset;
496
497 r->anchor = NULL;
498 if (!name[0])
499 return (0);
500 path = (char *)rs_malloc(MAXPATHLEN);
501 if (path == NULL)
502 return (1);
503 if (name[0] == '/')
504 strlcpy(path, name + 1, MAXPATHLEN);
505 else {
506 /* relative path */
507 if (s->anchor == NULL || !s->anchor->path[0])
508 path[0] = 0;
509 else
510 strlcpy(path, s->anchor->path, MAXPATHLEN);
511 while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
512 if (!path[0]) {
513 printf("%s: .. beyond root\n", __func__);
514 rs_free(path);
515 return (1);
516 }
517 if ((p = strrchr(path, '/')) != NULL)
518 *p = 0;
519 else
520 path[0] = 0;
521 name += 3;
522 }
523 if (path[0])
524 strlcat(path, "/", MAXPATHLEN);
525 strlcat(path, name, MAXPATHLEN);
526 }
527 if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
528 *p = 0;
529 }
530 ruleset = pf_find_or_create_eth_ruleset(path);
531 rs_free(path);
532 if (ruleset == NULL || ruleset->anchor == NULL) {
533 printf("%s: ruleset\n", __func__);
534 return (1);
535 }
536 r->anchor = ruleset->anchor;
537 r->anchor->refcnt++;
538 return (0);
539 }
540