1 /* 2 * Copyright (c) 2014 The DragonFly Project. All rights reserved. 3 * 4 * This code is derived from software contributed to The DragonFly Project 5 * by Bill Yuan <bycn82@dragonflybsd.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * 3. Neither the name of The DragonFly Project nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific, prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/param.h> 36 #include <sys/kernel.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/socketvar.h> 40 #include <sys/sysctl.h> 41 #include <sys/systimer.h> 42 #include <sys/thread2.h> 43 44 #include <net/ethernet.h> 45 #include <net/netmsg2.h> 46 #include <net/netisr2.h> 47 #include <net/route.h> 48 49 #include <netinet/in_var.h> 50 #include <netinet/ip_var.h> 51 52 #include <net/ipfw3/ip_fw.h> 53 #include <net/ipfw3/ip_fw3_table.h> 54 55 #include "ip_fw3_layer2.h" 56 57 extern struct ipfw_context *ipfw_ctx[MAXCPU]; 58 59 void check_layer2(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 60 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 61 void check_mac(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 62 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 63 void 64 check_mac_from(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 65 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 66 void 67 check_mac_from_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 68 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 69 void 70 check_mac_to(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 71 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 72 void 73 check_mac_to_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 74 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 75 76 void 77 check_layer2(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 78 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 79 { 80 *cmd_val = ((*args)->eh != NULL); 81 *cmd_ctl = IP_FW_CTL_NO; 82 } 83 84 void 85 check_mac(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 86 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 87 { 88 *cmd_ctl = IP_FW_CTL_NO; 89 if ((*args)->eh != NULL) { 90 uint32_t *want = (uint32_t *)((ipfw_insn_mac *)cmd)->addr; 91 uint32_t *mask = (uint32_t *)((ipfw_insn_mac *)cmd)->mask; 92 uint32_t *hdr = (uint32_t *)(*args)->eh; 93 *cmd_val = 94 (want[0] == (hdr[0] & mask[0]) && 95 want[1] == (hdr[1] & mask[1]) && 96 want[2] == (hdr[2] & mask[2])); 97 } else { 98 *cmd_val = IP_FW_NOT_MATCH; 99 } 100 } 101 102 void 103 check_mac_from(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 104 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 105 { 106 *cmd_ctl = IP_FW_CTL_NO; 107 if ((*args)->eh != NULL) { 108 uint16_t *want = (uint16_t *)((ipfw_insn_mac *)cmd)->addr; 109 uint16_t *mask = (uint16_t *)((ipfw_insn_mac *)cmd)->mask; 110 uint16_t *hdr = (uint16_t *)(*args)->eh; 111 *cmd_val = 112 (want[3] == (hdr[3] & mask[3]) && 113 want[4] == (hdr[4] & mask[4]) && 114 want[5] == (hdr[5] & mask[5])); 115 } else { 116 *cmd_val = IP_FW_NOT_MATCH; 117 } 118 } 119 120 void 121 check_mac_from_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 122 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 123 { 124 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 125 struct ipfw_table_context *table_ctx; 126 struct radix_node_head *rnh; 127 struct table_mac_entry *ent = NULL; 128 129 table_ctx = ctx->table_ctx; 130 table_ctx += cmd->arg1; 131 rnh = table_ctx->node; 132 133 *cmd_ctl = IP_FW_CTL_NO; 134 *cmd_val = IP_FW_NOT_MATCH; 135 if ((*args)->eh != NULL) { 136 struct sockaddr sa; 137 sa.sa_len = 8; 138 strncpy(sa.sa_data, (*args)->eh->ether_shost, 6); 139 ent = (struct table_mac_entry *)rnh->rnh_lookup((char *)&sa, 140 NULL, rnh); 141 if(ent != NULL) 142 *cmd_val = IP_FW_MATCH; 143 } 144 } 145 146 void 147 check_mac_to(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 148 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 149 { 150 *cmd_ctl = IP_FW_CTL_NO; 151 if ((*args)->eh != NULL) { 152 uint16_t *want = (uint16_t *)((ipfw_insn_mac *)cmd)->addr; 153 uint16_t *mask = (uint16_t *)((ipfw_insn_mac *)cmd)->mask; 154 uint16_t *hdr = (uint16_t *)(*args)->eh; 155 *cmd_val = 156 (want[0] == (hdr[0] & mask[0]) && 157 want[1] == (hdr[1] & mask[1]) && 158 want[2] == (hdr[2] & mask[2])); 159 } else { 160 *cmd_val = IP_FW_NOT_MATCH; 161 } 162 } 163 164 void 165 check_mac_to_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 166 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 167 { 168 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 169 struct ipfw_table_context *table_ctx; 170 struct radix_node_head *rnh; 171 struct table_mac_entry *ent = NULL; 172 173 table_ctx = ctx->table_ctx; 174 table_ctx += cmd->arg1; 175 rnh = table_ctx->node; 176 177 *cmd_ctl = IP_FW_CTL_NO; 178 *cmd_val = IP_FW_NOT_MATCH; 179 if ((*args)->eh != NULL) { 180 struct sockaddr sa; 181 sa.sa_len = 8; 182 strncpy(sa.sa_data, (*args)->eh->ether_dhost, 6); 183 ent = (struct table_mac_entry *)rnh->rnh_lookup((char *)&sa, 184 NULL, rnh); 185 if(ent != NULL) 186 *cmd_val = IP_FW_MATCH; 187 } 188 } 189 190 static int 191 ipfw3_layer2_init(void) 192 { 193 register_ipfw_module(MODULE_LAYER2_ID, MODULE_LAYER2_NAME); 194 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 195 O_LAYER2_LAYER2, (filter_func)check_layer2); 196 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 197 O_LAYER2_MAC, (filter_func)check_mac); 198 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 199 O_LAYER2_MAC_SRC, (filter_func)check_mac_from); 200 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 201 O_LAYER2_MAC_DST, (filter_func)check_mac_to); 202 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 203 O_LAYER2_MAC_SRC_LOOKUP, 204 (filter_func)check_mac_from_lookup); 205 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 206 O_LAYER2_MAC_DST_LOOKUP, 207 (filter_func)check_mac_to_lookup); 208 return 0; 209 } 210 211 static int 212 ipfw3_layer2_stop(void) 213 { 214 return unregister_ipfw_module(MODULE_LAYER2_ID); 215 } 216 217 static int 218 ipfw3_layer2_modevent(module_t mod, int type, void *data) 219 { 220 switch (type) { 221 case MOD_LOAD: 222 return ipfw3_layer2_init(); 223 case MOD_UNLOAD: 224 return ipfw3_layer2_stop(); 225 default: 226 break; 227 } 228 return 0; 229 } 230 231 static moduledata_t ipfw3_layer2_mod = { 232 "ipfw3_layer2", 233 ipfw3_layer2_modevent, 234 NULL 235 }; 236 DECLARE_MODULE(ipfw3_layer2, ipfw3_layer2_mod, SI_SUB_PROTO_END, SI_ORDER_ANY); 237 MODULE_DEPEND(ipfw3_layer2, ipfw3_basic, 1, 1, 1); 238 MODULE_VERSION(ipfw3_layer2, 1); 239