1 /* 2 * Copyright (c) 1993 Daniel Boulet 3 * Copyright (c) 1994 Ugen J.S.Antsilevich 4 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 5 * Copyright (c) 2015 The DragonFly Project. All rights reserved. 6 * 7 * This code is derived from software contributed to The DragonFly Project 8 * by Bill Yuan <bycn82@gmail.com> 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 3. Neither the name of The DragonFly Project nor the names of its 21 * contributors may be used to endorse or promote products derived 22 * from this software without specific, prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 32 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 33 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 34 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #include "opt_ipfw.h" 40 #include "opt_inet.h" 41 #ifndef INET 42 #error IPFIREWALL3 requires INET. 43 #endif /* INET */ 44 45 #include <sys/param.h> 46 #include <sys/systm.h> 47 #include <sys/malloc.h> 48 #include <sys/mbuf.h> 49 #include <sys/kernel.h> 50 #include <sys/proc.h> 51 #include <sys/socket.h> 52 #include <sys/socketvar.h> 53 #include <sys/sysctl.h> 54 #include <sys/syslog.h> 55 #include <sys/ucred.h> 56 #include <sys/in_cksum.h> 57 #include <sys/lock.h> 58 #include <sys/thread2.h> 59 #include <sys/mplock2.h> 60 61 #include <netinet/in.h> 62 #include <netinet/in_systm.h> 63 #include <netinet/in_var.h> 64 #include <netinet/in_pcb.h> 65 #include <netinet/ip.h> 66 #include <netinet/ip_var.h> 67 #include <netinet/ip_icmp.h> 68 #include <netinet/tcp.h> 69 #include <netinet/tcp_timer.h> 70 #include <netinet/tcp_var.h> 71 #include <netinet/tcpip.h> 72 #include <netinet/udp.h> 73 #include <netinet/udp_var.h> 74 #include <netinet/ip_divert.h> 75 #include <netinet/if_ether.h> 76 77 #include <net/if.h> 78 #include <net/route.h> 79 #include <net/pfil.h> 80 #include <net/netmsg2.h> 81 82 #include <net/ipfw3/ip_fw.h> 83 #include <net/ipfw3_basic/ip_fw3_basic.h> 84 #include <net/ipfw3_nat/ip_fw3_nat.h> 85 #include <net/dummynet3/ip_dummynet3.h> 86 87 MALLOC_DEFINE(M_IPFW3, "IPFW3", "ip_fw3 default module"); 88 89 #ifdef IPFIREWALL_DEBUG 90 #define DPRINTF(fmt, ...) \ 91 do { \ 92 if (fw_debug > 0) \ 93 kprintf(fmt, __VA_ARGS__); \ 94 } while (0) 95 #else 96 #define DPRINTF(fmt, ...) ((void)0) 97 #endif 98 99 #define MAX_MODULE 10 100 #define MAX_OPCODE_PER_MODULE 100 101 102 #define IPFW_AUTOINC_STEP_MIN 1 103 #define IPFW_AUTOINC_STEP_MAX 1000 104 #define IPFW_AUTOINC_STEP_DEF 100 105 106 107 struct netmsg_ipfw { 108 struct netmsg_base base; 109 const struct ipfw_ioc_rule *ioc_rule; 110 struct ip_fw *rule; 111 struct ip_fw *next_rule; 112 struct ip_fw *prev_rule; 113 struct ip_fw *sibling; /* sibling in prevous CPU */ 114 }; 115 116 struct netmsg_del { 117 struct netmsg_base base; 118 struct ip_fw *rule; 119 struct ip_fw *start_rule; 120 struct ip_fw *prev_rule; 121 struct ipfw_ioc_state *ioc_state; 122 uint16_t rulenum; 123 uint8_t from_set; 124 uint8_t to_set; 125 }; 126 127 struct netmsg_zent { 128 struct netmsg_base base; 129 struct ip_fw *start_rule; 130 uint16_t rulenum; 131 uint16_t log_only; 132 }; 133 134 ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; 135 ipfw_nat_cfg_t *ipfw_nat_del_ptr; 136 ipfw_nat_cfg_t *ipfw_nat_flush_ptr; 137 ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; 138 ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; 139 140 /* handlers which implemented in ipfw_basic module */ 141 ipfw_basic_delete_state_t *ipfw_basic_flush_state_prt = NULL; 142 ipfw_basic_append_state_t *ipfw_basic_append_state_prt = NULL; 143 144 static struct ipfw_context *ipfw_ctx[MAXCPU]; 145 static struct ipfw_nat_context *ipfw_nat_ctx; 146 147 extern int ip_fw_loaded; 148 static uint32_t static_count; /* # of static rules */ 149 static uint32_t static_ioc_len; /* bytes of static rules */ 150 static int ipfw_flushing; 151 static int fw_verbose; 152 static int verbose_limit; 153 static int fw_debug; 154 static int autoinc_step = IPFW_AUTOINC_STEP_DEF; 155 156 static int ipfw_sysctl_enable(SYSCTL_HANDLER_ARGS); 157 static int ipfw_sysctl_autoinc_step(SYSCTL_HANDLER_ARGS); 158 159 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw3, CTLFLAG_RW, 0, "Firewall"); 160 SYSCTL_PROC(_net_inet_ip_fw3, OID_AUTO, enable, CTLTYPE_INT | CTLFLAG_RW, 161 &fw3_enable, 0, ipfw_sysctl_enable, "I", "Enable ipfw"); 162 SYSCTL_PROC(_net_inet_ip_fw3, OID_AUTO, autoinc_step, CTLTYPE_INT | CTLFLAG_RW, 163 &autoinc_step, 0, ipfw_sysctl_autoinc_step, "I", 164 "Rule number autincrement step"); 165 SYSCTL_INT(_net_inet_ip_fw3, OID_AUTO,one_pass,CTLFLAG_RW, 166 &fw3_one_pass, 0, 167 "Only do a single pass through ipfw when using dummynet(4)"); 168 SYSCTL_INT(_net_inet_ip_fw3, OID_AUTO, debug, CTLFLAG_RW, 169 &fw_debug, 0, "Enable printing of debug ip_fw statements"); 170 SYSCTL_INT(_net_inet_ip_fw3, OID_AUTO, verbose, CTLFLAG_RW, 171 &fw_verbose, 0, "Log matches to ipfw rules"); 172 SYSCTL_INT(_net_inet_ip_fw3, OID_AUTO, verbose_limit, CTLFLAG_RW, 173 &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); 174 SYSCTL_INT(_net_inet_ip_fw3, OID_AUTO, static_count, CTLFLAG_RD, 175 &static_count, 0, "Number of static rules"); 176 177 filter_func filter_funcs[MAX_MODULE][MAX_OPCODE_PER_MODULE]; 178 struct ipfw_module ipfw_modules[MAX_MODULE]; 179 static int ipfw_ctl(struct sockopt *sopt); 180 181 182 void 183 check_accept(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 184 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 185 void 186 check_deny(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 187 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 188 void init_module(void); 189 190 191 void 192 register_ipfw_module(int module_id,char *module_name) 193 { 194 struct ipfw_module *tmp; 195 int i; 196 197 tmp = ipfw_modules; 198 for (i=0; i < MAX_MODULE; i++) { 199 if (tmp->type == 0) { 200 tmp->type = 1; 201 tmp->id = module_id; 202 strncpy(tmp->name, module_name, strlen(module_name)); 203 break; 204 } 205 tmp++; 206 } 207 kprintf("ipfw3 module %s loaded ", module_name); 208 } 209 210 int 211 unregister_ipfw_module(int module_id) 212 { 213 struct ipfw_module *tmp; 214 struct ip_fw *fw; 215 ipfw_insn *cmd; 216 int i, len, cmdlen, found; 217 218 found = 0; 219 tmp = ipfw_modules; 220 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 221 fw = ctx->ipfw_rule_chain; 222 for (; fw; fw = fw->next) { 223 for (len = fw->cmd_len, cmd = fw->cmd; len > 0; 224 len -= cmdlen, 225 cmd = (ipfw_insn *)((uint32_t *)cmd + cmdlen)) { 226 cmdlen = F_LEN(cmd); 227 if (cmd->module == 0 && 228 (cmd->opcode == 0 || cmd->opcode == 1)) { 229 //action accept or deny 230 } else if (cmd->module == module_id) { 231 found = 1; 232 goto decide; 233 } 234 } 235 } 236 decide: 237 if (found) { 238 return 1; 239 } else { 240 for (i = 0; i < MAX_MODULE; i++) { 241 if (tmp->type == 1 && tmp->id == module_id) { 242 tmp->type = 0; 243 kprintf("ipfw3 module %s unloaded ", tmp->name); 244 break; 245 } 246 tmp++; 247 } 248 249 for (i = 0; i < MAX_OPCODE_PER_MODULE; i++) { 250 if (module_id == 0) { 251 if (i ==0 || i == 1) { 252 continue; 253 } 254 } 255 filter_funcs[module_id][i] = NULL; 256 } 257 return 0; 258 } 259 } 260 261 void 262 register_ipfw_filter_funcs(int module, int opcode, filter_func func) 263 { 264 filter_funcs[module][opcode] = func; 265 } 266 267 void 268 check_accept(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 269 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 270 { 271 *cmd_val = IP_FW_PASS; 272 *cmd_ctl = IP_FW_CTL_DONE; 273 } 274 275 void 276 check_deny(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 277 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 278 { 279 *cmd_val = IP_FW_DENY; 280 *cmd_ctl = IP_FW_CTL_DONE; 281 } 282 283 void 284 init_module(void) 285 { 286 memset(ipfw_modules, 0, sizeof(struct ipfw_module) * MAX_MODULE); 287 memset(filter_funcs, 0, sizeof(filter_func) * 288 MAX_OPCODE_PER_MODULE * MAX_MODULE); 289 register_ipfw_filter_funcs(0, O_BASIC_ACCEPT, 290 (filter_func)check_accept); 291 register_ipfw_filter_funcs(0, O_BASIC_DENY, (filter_func)check_deny); 292 } 293 294 static __inline int 295 ipfw_free_rule(struct ip_fw *rule) 296 { 297 kfree(rule, M_IPFW3); 298 rule = NULL; 299 return 1; 300 } 301 302 static struct ip_fw * 303 lookup_next_rule(struct ip_fw *me) 304 { 305 struct ip_fw *rule = NULL; 306 ipfw_insn *cmd; 307 308 /* look for action, in case it is a skipto */ 309 cmd = ACTION_PTR(me); 310 if ((int)cmd->module == MODULE_BASIC_ID && 311 (int)cmd->opcode == O_BASIC_SKIPTO) { 312 for (rule = me->next; rule; rule = rule->next) { 313 if (rule->rulenum >= cmd->arg1) 314 break; 315 } 316 } 317 if (rule == NULL) { /* failure or not a skipto */ 318 rule = me->next; 319 } 320 me->next_rule = rule; 321 return rule; 322 } 323 324 /* 325 * rules are stored in ctx->ipfw_rule_chain. 326 * and each rule is combination of multiple cmds.(ipfw_insn) 327 * in each rule, it begin with filter cmds. and end with action cmds. 328 * 'outer/inner loop' are looping the rules/cmds. 329 * it will invoke the cmds relatived function according to the cmd's 330 * module id and opcode id. and process according to return value. 331 */ 332 static int 333 ipfw_chk(struct ip_fw_args *args) 334 { 335 struct mbuf *m = args->m; 336 struct ip *ip = mtod(m, struct ip *); 337 struct ip_fw *f = NULL; /* matching rule */ 338 int cmd_val = IP_FW_PASS; 339 struct m_tag *mtag; 340 struct divert_info *divinfo; 341 342 /* 343 * hlen The length of the IPv4 header. 344 * hlen >0 means we have an IPv4 packet. 345 */ 346 u_int hlen = 0; /* hlen >0 means we have an IP pkt */ 347 348 /* 349 * offset The offset of a fragment. offset != 0 means that 350 * we have a fragment at this offset of an IPv4 packet. 351 * offset == 0 means that (if this is an IPv4 packet) 352 * this is the first or only fragment. 353 */ 354 u_short offset = 0; 355 356 uint8_t proto; 357 uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */ 358 struct in_addr src_ip, dst_ip; /* NOTE: network format */ 359 uint16_t ip_len = 0; 360 uint8_t prev_module = -1, prev_opcode = -1; /* previous module & opcode */ 361 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 362 363 if (m->m_pkthdr.fw_flags & IPFW_MBUF_GENERATED) 364 return IP_FW_PASS; /* accept */ 365 366 if (args->eh == NULL || /* layer 3 packet */ 367 (m->m_pkthdr.len >= sizeof(struct ip) && 368 ntohs(args->eh->ether_type) == ETHERTYPE_IP)) 369 hlen = ip->ip_hl << 2; 370 371 /* 372 * Collect parameters into local variables for faster matching. 373 */ 374 if (hlen == 0) { /* do not grab addresses for non-ip pkts */ 375 proto = args->f_id.proto = 0; /* mark f_id invalid */ 376 goto after_ip_checks; 377 } 378 379 proto = args->f_id.proto = ip->ip_p; 380 src_ip = ip->ip_src; 381 dst_ip = ip->ip_dst; 382 if (args->eh != NULL) { /* layer 2 packets are as on the wire */ 383 offset = ntohs(ip->ip_off) & IP_OFFMASK; 384 ip_len = ntohs(ip->ip_len); 385 } else { 386 offset = ip->ip_off & IP_OFFMASK; 387 ip_len = ip->ip_len; 388 } 389 390 #define PULLUP_TO(len) \ 391 do { \ 392 if (m->m_len < (len)) { \ 393 args->m = m = m_pullup(m, (len)); \ 394 if (m == NULL) \ 395 goto pullup_failed; \ 396 ip = mtod(m, struct ip *); \ 397 } \ 398 } while (0) 399 400 if (offset == 0) { 401 switch (proto) { 402 case IPPROTO_TCP: 403 { 404 struct tcphdr *tcp; 405 406 PULLUP_TO(hlen + sizeof(struct tcphdr)); 407 tcp = L3HDR(struct tcphdr, ip); 408 dst_port = tcp->th_dport; 409 src_port = tcp->th_sport; 410 args->f_id.flags = tcp->th_flags; 411 } 412 break; 413 414 case IPPROTO_UDP: 415 { 416 struct udphdr *udp; 417 418 PULLUP_TO(hlen + sizeof(struct udphdr)); 419 udp = L3HDR(struct udphdr, ip); 420 dst_port = udp->uh_dport; 421 src_port = udp->uh_sport; 422 } 423 break; 424 425 case IPPROTO_ICMP: 426 PULLUP_TO(hlen + 4); 427 args->f_id.flags = 428 L3HDR(struct icmp, ip)->icmp_type; 429 break; 430 431 default: 432 break; 433 } 434 } 435 436 #undef PULLUP_TO 437 438 args->f_id.src_ip = ntohl(src_ip.s_addr); 439 args->f_id.dst_ip = ntohl(dst_ip.s_addr); 440 args->f_id.src_port = src_port = ntohs(src_port); 441 args->f_id.dst_port = dst_port = ntohs(dst_port); 442 443 after_ip_checks: 444 if (args->rule) { 445 /* 446 * Packet has already been tagged. Look for the next rule 447 * to restart processing. 448 * 449 * If fw3_one_pass != 0 then just accept it. 450 * XXX should not happen here, but optimized out in 451 * the caller. 452 */ 453 if (fw3_one_pass) 454 return IP_FW_PASS; 455 456 /* This rule is being/has been flushed */ 457 if (ipfw_flushing) 458 return IP_FW_DENY; 459 460 f = args->rule->next_rule; 461 if (f == NULL) 462 f = lookup_next_rule(args->rule); 463 } else { 464 /* 465 * Find the starting rule. It can be either the first 466 * one, or the one after divert_rule if asked so. 467 */ 468 int skipto; 469 470 mtag = m_tag_find(m, PACKET_TAG_IPFW_DIVERT, NULL); 471 if (mtag != NULL) { 472 divinfo = m_tag_data(mtag); 473 skipto = divinfo->skipto; 474 } else { 475 skipto = 0; 476 } 477 478 f = ctx->ipfw_rule_chain; 479 if (args->eh == NULL && skipto != 0) { 480 /* No skipto during rule flushing */ 481 if (ipfw_flushing) { 482 return IP_FW_DENY; 483 } 484 if (skipto >= IPFW_DEFAULT_RULE) { 485 return IP_FW_DENY; /* invalid */ 486 } 487 while (f && f->rulenum <= skipto) { 488 f = f->next; 489 } 490 if (f == NULL) { /* drop packet */ 491 return IP_FW_DENY; 492 } 493 } else if (ipfw_flushing) { 494 /* Rules are being flushed; skip to default rule */ 495 f = ctx->ipfw_default_rule; 496 } 497 } 498 if ((mtag = m_tag_find(m, PACKET_TAG_IPFW_DIVERT, NULL)) != NULL) { 499 m_tag_delete(m, mtag); 500 } 501 502 /* 503 * Now scan the rules, and parse microinstructions for each rule. 504 */ 505 int prev_val; /* previous result of 'or' filter */ 506 int l, cmdlen; 507 ipfw_insn *cmd; 508 int cmd_ctl; 509 /* foreach rule in chain */ 510 for (; f; f = f->next) { 511 again: /* check the rule again*/ 512 if (ctx->ipfw_set_disable & (1 << f->set)) { 513 continue; 514 } 515 516 prev_val = -1; 517 /* foreach cmd in rule */ 518 for (l = f->cmd_len, cmd = f->cmd; l > 0; l -= cmdlen, 519 cmd = (ipfw_insn *)((uint32_t *)cmd+ cmdlen)) { 520 cmdlen = F_LEN(cmd); 521 522 /* skip 'or' filter when already match */ 523 if (cmd->len & F_OR && 524 cmd->module == prev_module && 525 cmd->opcode == prev_opcode && 526 prev_val == 1) { 527 goto next_cmd; 528 } 529 530 check_body: /* check the body of the rule again.*/ 531 (filter_funcs[cmd->module][cmd->opcode]) 532 (&cmd_ctl, &cmd_val, &args, &f, cmd, ip_len); 533 switch(cmd_ctl) { 534 case IP_FW_CTL_DONE: 535 if (prev_val == 0) /* but 'or' failed */ 536 goto next_rule; 537 goto done; 538 case IP_FW_CTL_AGAIN: 539 goto again; 540 case IP_FW_CTL_NEXT: 541 goto next_rule; 542 case IP_FW_CTL_NAT: 543 args->rule=f; 544 goto done; 545 case IP_FW_CTL_CHK_STATE: 546 /* update the cmd and l */ 547 cmd = ACTION_PTR(f); 548 l = f->cmd_len - f->act_ofs; 549 goto check_body; 550 } 551 if (cmd->len & F_NOT) 552 cmd_val= !cmd_val; 553 554 if (cmd->len & F_OR) { /* has 'or' */ 555 if (!cmd_val) { /* not matched */ 556 if(prev_val == -1){ /* first 'or' */ 557 prev_val = 0; 558 prev_module = cmd->module; 559 prev_opcode = cmd->opcode; 560 } else if (prev_module == cmd->module && 561 prev_opcode == cmd->opcode) { 562 /* continuous 'or' filter */ 563 } else if (prev_module != cmd->module || 564 prev_opcode != cmd->opcode) { 565 /* 'or' filter changed */ 566 if(prev_val == 0){ 567 goto next_rule; 568 } else { 569 prev_val = 0; 570 prev_module = cmd->module; 571 prev_opcode = cmd->opcode; 572 } 573 } 574 } else { /* has 'or' and matched */ 575 prev_val = 1; 576 prev_module = cmd->module; 577 prev_opcode = cmd->opcode; 578 } 579 } else { /* no or */ 580 if (!cmd_val) { /* not matched */ 581 goto next_rule; 582 } else { 583 if (prev_val == 0) { 584 /* previous 'or' not matched */ 585 goto next_rule; 586 } else { 587 prev_val = -1; 588 } 589 } 590 } 591 next_cmd:; 592 } /* end of inner for, scan opcodes */ 593 next_rule:; /* try next rule */ 594 } /* end of outer for, scan rules */ 595 kprintf("+++ ipfw: ouch!, skip past end of rules, denying packet\n"); 596 return IP_FW_DENY; 597 598 done: 599 /* Update statistics */ 600 f->pcnt++; 601 f->bcnt += ip_len; 602 f->timestamp = time_second; 603 return cmd_val; 604 605 pullup_failed: 606 if (fw_verbose) 607 kprintf("pullup failed\n"); 608 return IP_FW_DENY; 609 } 610 611 static void 612 ipfw_dummynet_io(struct mbuf *m, int pipe_nr, int dir, struct ip_fw_args *fwa) 613 { 614 struct m_tag *mtag; 615 struct dn_pkt *pkt; 616 ipfw_insn *cmd; 617 const struct ipfw_flow_id *id; 618 struct dn_flow_id *fid; 619 620 M_ASSERTPKTHDR(m); 621 622 mtag = m_tag_get(PACKET_TAG_DUMMYNET, sizeof(*pkt), M_NOWAIT); 623 if (mtag == NULL) { 624 m_freem(m); 625 return; 626 } 627 m_tag_prepend(m, mtag); 628 629 pkt = m_tag_data(mtag); 630 bzero(pkt, sizeof(*pkt)); 631 632 cmd = (ipfw_insn *)((uint32_t *)fwa->rule->cmd + fwa->rule->act_ofs); 633 KASSERT(cmd->opcode == O_DUMMYNET_PIPE || 634 cmd->opcode == O_DUMMYNET_QUEUE, 635 ("Rule is not PIPE or QUEUE, opcode %d", cmd->opcode)); 636 637 pkt->dn_m = m; 638 pkt->dn_flags = (dir & DN_FLAGS_DIR_MASK); 639 pkt->ifp = fwa->oif; 640 pkt->pipe_nr = pipe_nr; 641 642 pkt->cpuid = mycpuid; 643 pkt->msgport = netisr_curport(); 644 645 id = &fwa->f_id; 646 fid = &pkt->id; 647 fid->fid_dst_ip = id->dst_ip; 648 fid->fid_src_ip = id->src_ip; 649 fid->fid_dst_port = id->dst_port; 650 fid->fid_src_port = id->src_port; 651 fid->fid_proto = id->proto; 652 fid->fid_flags = id->flags; 653 654 pkt->dn_priv = fwa->rule; 655 656 if ((int)cmd->opcode == O_DUMMYNET_PIPE) 657 pkt->dn_flags |= DN_FLAGS_IS_PIPE; 658 659 m->m_pkthdr.fw_flags |= DUMMYNET_MBUF_TAGGED; 660 } 661 662 static __inline void 663 ipfw_inc_static_count(struct ip_fw *rule) 664 { 665 /* Static rule's counts are updated only on CPU0 */ 666 KKASSERT(mycpuid == 0); 667 668 static_count++; 669 static_ioc_len += IOC_RULESIZE(rule); 670 } 671 672 static __inline void 673 ipfw_dec_static_count(struct ip_fw *rule) 674 { 675 int l = IOC_RULESIZE(rule); 676 677 /* Static rule's counts are updated only on CPU0 */ 678 KKASSERT(mycpuid == 0); 679 680 KASSERT(static_count > 0, ("invalid static count %u", static_count)); 681 static_count--; 682 683 KASSERT(static_ioc_len >= l, 684 ("invalid static len %u", static_ioc_len)); 685 static_ioc_len -= l; 686 } 687 688 static void 689 ipfw_add_rule_dispatch(netmsg_t nmsg) 690 { 691 struct netmsg_ipfw *fwmsg = (struct netmsg_ipfw *)nmsg; 692 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 693 struct ip_fw *rule, *prev,*next; 694 const struct ipfw_ioc_rule *ioc_rule; 695 696 ioc_rule = fwmsg->ioc_rule; 697 // create rule by ioc_rule 698 rule = kmalloc(RULESIZE(ioc_rule), M_IPFW3, M_WAITOK | M_ZERO); 699 rule->act_ofs = ioc_rule->act_ofs; 700 rule->cmd_len = ioc_rule->cmd_len; 701 rule->rulenum = ioc_rule->rulenum; 702 rule->set = ioc_rule->set; 703 bcopy(ioc_rule->cmd, rule->cmd, rule->cmd_len * 4); 704 705 for (prev = NULL, next = ctx->ipfw_rule_chain; 706 next; prev = next, next = next->next) { 707 if (next->rulenum > ioc_rule->rulenum) { 708 break; 709 } 710 } 711 KASSERT(next != NULL, ("no default rule?!")); 712 713 /* 714 * Insert rule into the pre-determined position 715 */ 716 if (prev != NULL) { 717 rule->next = next; 718 prev->next = rule; 719 } else { 720 rule->next = ctx->ipfw_rule_chain; 721 ctx->ipfw_rule_chain = rule; 722 } 723 724 /* 725 * if sibiling in last CPU is exists, 726 * then it's sibling should be current rule 727 */ 728 if (fwmsg->sibling != NULL) { 729 fwmsg->sibling->sibling = rule; 730 } 731 /* prepare for next CPU */ 732 fwmsg->sibling = rule; 733 734 if (mycpuid == 0) { 735 /* Statistics only need to be updated once */ 736 ipfw_inc_static_count(rule); 737 } 738 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 739 } 740 741 /* 742 * confirm the rulenumber 743 * call dispatch function to add rule into the list 744 * Update the statistic 745 */ 746 static void 747 ipfw_add_rule(struct ipfw_ioc_rule *ioc_rule) 748 { 749 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 750 struct netmsg_ipfw fwmsg; 751 struct netmsg_base *nmsg; 752 struct ip_fw *f; 753 754 IPFW_ASSERT_CFGPORT(&curthread->td_msgport); 755 756 /* 757 * If rulenum is 0, find highest numbered rule before the 758 * default rule, and add rule number incremental step. 759 */ 760 if (ioc_rule->rulenum == 0) { 761 int step = autoinc_step; 762 763 KKASSERT(step >= IPFW_AUTOINC_STEP_MIN && 764 step <= IPFW_AUTOINC_STEP_MAX); 765 766 /* 767 * Locate the highest numbered rule before default 768 */ 769 for (f = ctx->ipfw_rule_chain; f; f = f->next) { 770 if (f->rulenum == IPFW_DEFAULT_RULE) 771 break; 772 ioc_rule->rulenum = f->rulenum; 773 } 774 if (ioc_rule->rulenum < IPFW_DEFAULT_RULE - step) 775 ioc_rule->rulenum += step; 776 } 777 KASSERT(ioc_rule->rulenum != IPFW_DEFAULT_RULE && 778 ioc_rule->rulenum != 0, 779 ("invalid rule num %d", ioc_rule->rulenum)); 780 781 bzero(&fwmsg, sizeof(fwmsg)); 782 nmsg = &fwmsg.base; 783 netmsg_init(nmsg, NULL, &curthread->td_msgport, 784 0, ipfw_add_rule_dispatch); 785 fwmsg.ioc_rule = ioc_rule; 786 787 ifnet_domsg(&nmsg->lmsg, 0); 788 789 DPRINTF("++ installed rule %d, static count now %d\n", 790 ioc_rule->rulenum, static_count); 791 } 792 793 /** 794 * Free storage associated with a static rule (including derived 795 * dynamic rules). 796 * The caller is in charge of clearing rule pointers to avoid 797 * dangling pointers. 798 * @return a pointer to the next entry. 799 * Arguments are not checked, so they better be correct. 800 * Must be called at splimp(). 801 */ 802 static struct ip_fw * 803 ipfw_delete_rule(struct ipfw_context *ctx, 804 struct ip_fw *prev, struct ip_fw *rule) 805 { 806 if (prev == NULL) 807 ctx->ipfw_rule_chain = rule->next; 808 else 809 prev->next = rule->next; 810 811 if (mycpuid == IPFW_CFGCPUID) 812 ipfw_dec_static_count(rule); 813 814 kfree(rule, M_IPFW3); 815 rule = NULL; 816 return NULL; 817 } 818 819 static void 820 ipfw_flush_rule_dispatch(netmsg_t nmsg) 821 { 822 struct lwkt_msg *lmsg = &nmsg->lmsg; 823 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 824 struct ip_fw *rule, *the_rule; 825 int kill_default = lmsg->u.ms_result; 826 827 rule = ctx->ipfw_rule_chain; 828 while (rule != NULL) { 829 if (rule->rulenum == IPFW_DEFAULT_RULE && kill_default == 0) { 830 ctx->ipfw_rule_chain = rule; 831 break; 832 } 833 the_rule = rule; 834 rule = rule->next; 835 if (mycpuid == IPFW_CFGCPUID) 836 ipfw_dec_static_count(the_rule); 837 838 kfree(the_rule, M_IPFW3); 839 } 840 841 ifnet_forwardmsg(lmsg, mycpuid + 1); 842 } 843 844 static void 845 ipfw_append_state_dispatch(netmsg_t nmsg) 846 { 847 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 848 struct ipfw_ioc_state *ioc_state = dmsg->ioc_state; 849 (*ipfw_basic_append_state_prt)(ioc_state); 850 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 851 } 852 853 static void 854 ipfw_delete_state_dispatch(netmsg_t nmsg) 855 { 856 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 857 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 858 struct ip_fw *rule = ctx->ipfw_rule_chain; 859 while (rule != NULL) { 860 if (rule->rulenum == dmsg->rulenum) { 861 break; 862 } 863 rule = rule->next; 864 } 865 866 (*ipfw_basic_flush_state_prt)(rule); 867 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 868 } 869 870 /* 871 * Deletes all rules from a chain (including the default rule 872 * if the second argument is set). 873 * Must be called at splimp(). 874 */ 875 static void 876 ipfw_ctl_flush_rule(int kill_default) 877 { 878 struct netmsg_del dmsg; 879 struct netmsg_base nmsg; 880 struct lwkt_msg *lmsg; 881 882 IPFW_ASSERT_CFGPORT(&curthread->td_msgport); 883 884 /* 885 * If 'kill_default' then caller has done the necessary 886 * msgport syncing; unnecessary to do it again. 887 */ 888 if (!kill_default) { 889 /* 890 * Let ipfw_chk() know the rules are going to 891 * be flushed, so it could jump directly to 892 * the default rule. 893 */ 894 ipfw_flushing = 1; 895 netmsg_service_sync(); 896 } 897 898 /* 899 * if ipfw_basic_flush_state_prt 900 * flush all states in all CPU 901 */ 902 if (ipfw_basic_flush_state_prt != NULL) { 903 bzero(&dmsg, sizeof(dmsg)); 904 netmsg_init(&dmsg.base, NULL, &curthread->td_msgport, 905 0, ipfw_delete_state_dispatch); 906 ifnet_domsg(&dmsg.base.lmsg, 0); 907 } 908 /* 909 * Press the 'flush' button 910 */ 911 bzero(&nmsg, sizeof(nmsg)); 912 netmsg_init(&nmsg, NULL, &curthread->td_msgport, 913 0, ipfw_flush_rule_dispatch); 914 lmsg = &nmsg.lmsg; 915 lmsg->u.ms_result = kill_default; 916 ifnet_domsg(lmsg, 0); 917 918 if (kill_default) { 919 KASSERT(static_count == 0, 920 ("%u static rules remain", static_count)); 921 KASSERT(static_ioc_len == 0, 922 ("%u bytes of static rules remain", static_ioc_len)); 923 } 924 925 /* Flush is done */ 926 ipfw_flushing = 0; 927 } 928 929 static void 930 ipfw_delete_rule_dispatch(netmsg_t nmsg) 931 { 932 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 933 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 934 struct ip_fw *rule, *prev = NULL; 935 936 rule = ctx->ipfw_rule_chain; 937 while (rule!=NULL) { 938 if (rule->rulenum == dmsg->rulenum) { 939 ipfw_delete_rule(ctx, prev, rule); 940 break; 941 } 942 prev = rule; 943 rule = rule->next; 944 } 945 946 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 947 } 948 949 static int 950 ipfw_alt_delete_rule(uint16_t rulenum) 951 { 952 struct netmsg_del dmsg; 953 struct netmsg_base *nmsg; 954 955 /* 956 * delete the state which stub is the rule 957 * which belongs to the CPU and the rulenum 958 */ 959 bzero(&dmsg, sizeof(dmsg)); 960 nmsg = &dmsg.base; 961 netmsg_init(nmsg, NULL, &curthread->td_msgport, 962 0, ipfw_delete_state_dispatch); 963 dmsg.rulenum = rulenum; 964 ifnet_domsg(&nmsg->lmsg, 0); 965 966 /* 967 * Get rid of the rule duplications on all CPUs 968 */ 969 bzero(&dmsg, sizeof(dmsg)); 970 nmsg = &dmsg.base; 971 netmsg_init(nmsg, NULL, &curthread->td_msgport, 972 0, ipfw_delete_rule_dispatch); 973 dmsg.rulenum = rulenum; 974 ifnet_domsg(&nmsg->lmsg, 0); 975 return 0; 976 } 977 978 static void 979 ipfw_alt_delete_ruleset_dispatch(netmsg_t nmsg) 980 { 981 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 982 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 983 struct ip_fw *prev, *rule; 984 #ifdef INVARIANTS 985 int del = 0; 986 #endif 987 988 prev = NULL; 989 rule = ctx->ipfw_rule_chain; 990 while (rule != NULL) { 991 if (rule->set == dmsg->from_set) { 992 rule = ipfw_delete_rule(ctx, prev, rule); 993 #ifdef INVARIANTS 994 del = 1; 995 #endif 996 } else { 997 prev = rule; 998 rule = rule->next; 999 } 1000 } 1001 KASSERT(del, ("no match set?!")); 1002 1003 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1004 } 1005 1006 static void 1007 ipfw_disable_ruleset_state_dispatch(netmsg_t nmsg) 1008 { 1009 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 1010 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1011 struct ip_fw *rule; 1012 #ifdef INVARIANTS 1013 int cleared = 0; 1014 #endif 1015 1016 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1017 if (rule->set == dmsg->from_set) { 1018 #ifdef INVARIANTS 1019 cleared = 1; 1020 #endif 1021 } 1022 } 1023 KASSERT(cleared, ("no match set?!")); 1024 1025 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1026 } 1027 1028 static int 1029 ipfw_alt_delete_ruleset(uint8_t set) 1030 { 1031 struct netmsg_del dmsg; 1032 struct netmsg_base *nmsg; 1033 int state, del; 1034 struct ip_fw *rule; 1035 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1036 1037 /* 1038 * Check whether the 'set' exists. If it exists, 1039 * then check whether any rules within the set will 1040 * try to create states. 1041 */ 1042 state = 0; 1043 del = 0; 1044 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1045 if (rule->set == set) { 1046 del = 1; 1047 } 1048 } 1049 if (!del) 1050 return 0; /* XXX EINVAL? */ 1051 1052 if (state) { 1053 /* 1054 * Clear the STATE flag, so no more states will be 1055 * created based the rules in this set. 1056 */ 1057 bzero(&dmsg, sizeof(dmsg)); 1058 nmsg = &dmsg.base; 1059 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1060 0, ipfw_disable_ruleset_state_dispatch); 1061 dmsg.from_set = set; 1062 1063 ifnet_domsg(&nmsg->lmsg, 0); 1064 } 1065 1066 /* 1067 * Delete this set 1068 */ 1069 bzero(&dmsg, sizeof(dmsg)); 1070 nmsg = &dmsg.base; 1071 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1072 0, ipfw_alt_delete_ruleset_dispatch); 1073 dmsg.from_set = set; 1074 1075 ifnet_domsg(&nmsg->lmsg, 0); 1076 return 0; 1077 } 1078 1079 static void 1080 ipfw_alt_move_rule_dispatch(netmsg_t nmsg) 1081 { 1082 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 1083 struct ip_fw *rule; 1084 1085 rule = dmsg->start_rule; 1086 1087 /* 1088 * Move to the position on the next CPU 1089 * before the msg is forwarded. 1090 */ 1091 1092 while (rule && rule->rulenum <= dmsg->rulenum) { 1093 if (rule->rulenum == dmsg->rulenum) 1094 rule->set = dmsg->to_set; 1095 rule = rule->next; 1096 } 1097 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1098 } 1099 1100 static int 1101 ipfw_alt_move_rule(uint16_t rulenum, uint8_t set) 1102 { 1103 struct netmsg_del dmsg; 1104 struct netmsg_base *nmsg; 1105 struct ip_fw *rule; 1106 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1107 1108 /* 1109 * Locate first rule to move 1110 */ 1111 for (rule = ctx->ipfw_rule_chain; 1112 rule && rule->rulenum <= rulenum; rule = rule->next) { 1113 if (rule->rulenum == rulenum && rule->set != set) 1114 break; 1115 } 1116 if (rule == NULL || rule->rulenum > rulenum) 1117 return 0; /* XXX error? */ 1118 1119 bzero(&dmsg, sizeof(dmsg)); 1120 nmsg = &dmsg.base; 1121 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1122 0, ipfw_alt_move_rule_dispatch); 1123 dmsg.start_rule = rule; 1124 dmsg.rulenum = rulenum; 1125 dmsg.to_set = set; 1126 1127 ifnet_domsg(&nmsg->lmsg, 0); 1128 KKASSERT(dmsg.start_rule == NULL); 1129 return 0; 1130 } 1131 1132 static void 1133 ipfw_alt_move_ruleset_dispatch(netmsg_t nmsg) 1134 { 1135 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 1136 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1137 struct ip_fw *rule; 1138 1139 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1140 if (rule->set == dmsg->from_set) 1141 rule->set = dmsg->to_set; 1142 } 1143 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1144 } 1145 1146 static int 1147 ipfw_alt_move_ruleset(uint8_t from_set, uint8_t to_set) 1148 { 1149 struct netmsg_del dmsg; 1150 struct netmsg_base *nmsg; 1151 1152 bzero(&dmsg, sizeof(dmsg)); 1153 nmsg = &dmsg.base; 1154 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1155 0, ipfw_alt_move_ruleset_dispatch); 1156 dmsg.from_set = from_set; 1157 dmsg.to_set = to_set; 1158 1159 ifnet_domsg(&nmsg->lmsg, 0); 1160 return 0; 1161 } 1162 1163 static void 1164 ipfw_alt_swap_ruleset_dispatch(netmsg_t nmsg) 1165 { 1166 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg; 1167 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1168 struct ip_fw *rule; 1169 1170 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1171 if (rule->set == dmsg->from_set) 1172 rule->set = dmsg->to_set; 1173 else if (rule->set == dmsg->to_set) 1174 rule->set = dmsg->from_set; 1175 } 1176 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1177 } 1178 1179 static int 1180 ipfw_alt_swap_ruleset(uint8_t set1, uint8_t set2) 1181 { 1182 struct netmsg_del dmsg; 1183 struct netmsg_base *nmsg; 1184 1185 bzero(&dmsg, sizeof(dmsg)); 1186 nmsg = &dmsg.base; 1187 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1188 0, ipfw_alt_swap_ruleset_dispatch); 1189 dmsg.from_set = set1; 1190 dmsg.to_set = set2; 1191 1192 ifnet_domsg(&nmsg->lmsg, 0); 1193 return 0; 1194 } 1195 1196 1197 static int 1198 ipfw_ctl_alter(uint32_t arg) 1199 { 1200 uint16_t rulenum; 1201 uint8_t cmd, new_set; 1202 int error = 0; 1203 1204 rulenum = arg & 0xffff; 1205 cmd = (arg >> 24) & 0xff; 1206 new_set = (arg >> 16) & 0xff; 1207 1208 if (cmd > 4) 1209 return EINVAL; 1210 if (new_set >= IPFW_DEFAULT_SET) 1211 return EINVAL; 1212 if (cmd == 0 || cmd == 2) { 1213 if (rulenum == IPFW_DEFAULT_RULE) 1214 return EINVAL; 1215 } else { 1216 if (rulenum >= IPFW_DEFAULT_SET) 1217 return EINVAL; 1218 } 1219 1220 switch (cmd) { 1221 case 0: /* delete rules with given number */ 1222 error = ipfw_alt_delete_rule(rulenum); 1223 break; 1224 1225 case 1: /* delete all rules with given set number */ 1226 error = ipfw_alt_delete_ruleset(rulenum); 1227 break; 1228 1229 case 2: /* move rules with given number to new set */ 1230 error = ipfw_alt_move_rule(rulenum, new_set); 1231 break; 1232 1233 case 3: /* move rules with given set number to new set */ 1234 error = ipfw_alt_move_ruleset(rulenum, new_set); 1235 break; 1236 1237 case 4: /* swap two sets */ 1238 error = ipfw_alt_swap_ruleset(rulenum, new_set); 1239 break; 1240 } 1241 return error; 1242 } 1243 1244 /* 1245 * Clear counters for a specific rule. 1246 */ 1247 static void 1248 clear_counters(struct ip_fw *rule) 1249 { 1250 rule->bcnt = rule->pcnt = 0; 1251 rule->timestamp = 0; 1252 } 1253 1254 static void 1255 ipfw_zero_entry_dispatch(netmsg_t nmsg) 1256 { 1257 struct netmsg_zent *zmsg = (struct netmsg_zent *)nmsg; 1258 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1259 struct ip_fw *rule; 1260 1261 if (zmsg->rulenum == 0) { 1262 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1263 clear_counters(rule); 1264 } 1265 } else { 1266 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1267 if (rule->rulenum == zmsg->rulenum) { 1268 clear_counters(rule); 1269 } 1270 } 1271 } 1272 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1273 } 1274 1275 /** 1276 * Reset some or all counters on firewall rules. 1277 * @arg frwl is null to clear all entries, or contains a specific 1278 * rule number. 1279 * @arg log_only is 1 if we only want to reset logs, zero otherwise. 1280 */ 1281 static int 1282 ipfw_ctl_zero_entry(int rulenum, int log_only) 1283 { 1284 struct netmsg_zent zmsg; 1285 struct netmsg_base *nmsg; 1286 const char *msg; 1287 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1288 1289 bzero(&zmsg, sizeof(zmsg)); 1290 nmsg = &zmsg.base; 1291 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1292 0, ipfw_zero_entry_dispatch); 1293 zmsg.log_only = log_only; 1294 1295 if (rulenum == 0) { 1296 msg = log_only ? "ipfw: All logging counts reset.\n" 1297 : "ipfw: Accounting cleared.\n"; 1298 } else { 1299 struct ip_fw *rule; 1300 1301 /* 1302 * Locate the first rule with 'rulenum' 1303 */ 1304 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1305 if (rule->rulenum == rulenum) 1306 break; 1307 } 1308 if (rule == NULL) /* we did not find any matching rules */ 1309 return (EINVAL); 1310 zmsg.start_rule = rule; 1311 zmsg.rulenum = rulenum; 1312 1313 msg = log_only ? "ipfw: Entry %d logging count reset.\n" 1314 : "ipfw: Entry %d cleared.\n"; 1315 } 1316 ifnet_domsg(&nmsg->lmsg, 0); 1317 KKASSERT(zmsg.start_rule == NULL); 1318 1319 if (fw_verbose) 1320 log(LOG_SECURITY | LOG_NOTICE, msg, rulenum); 1321 return (0); 1322 } 1323 1324 static int 1325 ipfw_ctl_add_state(struct sockopt *sopt) 1326 { 1327 struct ipfw_ioc_state *ioc_state; 1328 ioc_state = sopt->sopt_val; 1329 if (ipfw_basic_append_state_prt != NULL) { 1330 struct netmsg_del dmsg; 1331 bzero(&dmsg, sizeof(dmsg)); 1332 netmsg_init(&dmsg.base, NULL, &curthread->td_msgport, 1333 0, ipfw_append_state_dispatch); 1334 (&dmsg)->ioc_state = ioc_state; 1335 ifnet_domsg(&dmsg.base.lmsg, 0); 1336 } 1337 return 0; 1338 } 1339 1340 static int 1341 ipfw_ctl_delete_state(struct sockopt *sopt) 1342 { 1343 int rulenum = 0, error; 1344 if (sopt->sopt_valsize != 0) { 1345 error = soopt_to_kbuf(sopt, &rulenum, sizeof(int), sizeof(int)); 1346 if (error) { 1347 return -1; 1348 } 1349 } 1350 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1351 struct ip_fw *rule = ctx->ipfw_rule_chain; 1352 1353 while (rule!=NULL) { 1354 if (rule->rulenum == rulenum) { 1355 break; 1356 } 1357 rule = rule->next; 1358 } 1359 if (rule == NULL) { 1360 return -1; 1361 } 1362 1363 struct netmsg_del dmsg; 1364 struct netmsg_base *nmsg; 1365 /* 1366 * delete the state which stub is the rule 1367 * which belongs to the CPU and the rulenum 1368 */ 1369 bzero(&dmsg, sizeof(dmsg)); 1370 nmsg = &dmsg.base; 1371 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1372 0, ipfw_delete_state_dispatch); 1373 dmsg.rulenum = rulenum; 1374 ifnet_domsg(&nmsg->lmsg, 0); 1375 return 0; 1376 } 1377 1378 static int 1379 ipfw_ctl_flush_state(struct sockopt *sopt) 1380 { 1381 struct netmsg_del dmsg; 1382 struct netmsg_base *nmsg; 1383 /* 1384 * delete the state which stub is the rule 1385 * which belongs to the CPU and the rulenum 1386 */ 1387 bzero(&dmsg, sizeof(dmsg)); 1388 nmsg = &dmsg.base; 1389 netmsg_init(nmsg, NULL, &curthread->td_msgport, 1390 0, ipfw_delete_state_dispatch); 1391 dmsg.rulenum = 0; 1392 ifnet_domsg(&nmsg->lmsg, 0); 1393 return 0; 1394 } 1395 1396 /* 1397 * Get the ioc_rule from the sopt 1398 * call ipfw_add_rule to add the rule 1399 */ 1400 static int 1401 ipfw_ctl_add_rule(struct sockopt *sopt) 1402 { 1403 struct ipfw_ioc_rule *ioc_rule; 1404 size_t size; 1405 1406 size = sopt->sopt_valsize; 1407 if (size > (sizeof(uint32_t) * IPFW_RULE_SIZE_MAX) || 1408 size < sizeof(*ioc_rule)) { 1409 return EINVAL; 1410 } 1411 if (size != (sizeof(uint32_t) * IPFW_RULE_SIZE_MAX)) { 1412 sopt->sopt_val = krealloc(sopt->sopt_val, sizeof(uint32_t) * 1413 IPFW_RULE_SIZE_MAX, M_TEMP, M_WAITOK); 1414 } 1415 ioc_rule = sopt->sopt_val; 1416 1417 ipfw_add_rule(ioc_rule); 1418 return 0; 1419 } 1420 1421 static void * 1422 ipfw_copy_state(struct ip_fw_state *state, struct ipfw_ioc_state *ioc_state, int cpuid) 1423 { 1424 ioc_state->pcnt = state->pcnt; 1425 ioc_state->bcnt = state->bcnt; 1426 ioc_state->lifetime = state->lifetime; 1427 ioc_state->timestamp = state->timestamp; 1428 ioc_state->cpuid = cpuid; 1429 ioc_state->expiry = state->expiry; 1430 ioc_state->rulenum = state->stub->rulenum; 1431 1432 bcopy(&state->flow_id, &ioc_state->flow_id, sizeof(struct ipfw_flow_id)); 1433 return ioc_state + 1; 1434 } 1435 1436 static void * 1437 ipfw_copy_rule(const struct ip_fw *rule, struct ipfw_ioc_rule *ioc_rule) 1438 { 1439 const struct ip_fw *sibling; 1440 #ifdef INVARIANTS 1441 int i; 1442 #endif 1443 1444 ioc_rule->act_ofs = rule->act_ofs; 1445 ioc_rule->cmd_len = rule->cmd_len; 1446 ioc_rule->rulenum = rule->rulenum; 1447 ioc_rule->set = rule->set; 1448 1449 ioc_rule->set_disable = ipfw_ctx[mycpuid]->ipfw_set_disable; 1450 ioc_rule->static_count = static_count; 1451 ioc_rule->static_len = static_ioc_len; 1452 1453 ioc_rule->pcnt = 1; 1454 ioc_rule->bcnt = 0; 1455 ioc_rule->timestamp = 0; 1456 1457 #ifdef INVARIANTS 1458 i = 0; 1459 #endif 1460 ioc_rule->pcnt = 0; 1461 ioc_rule->bcnt = 0; 1462 ioc_rule->timestamp = 0; 1463 for (sibling = rule; sibling != NULL; sibling = sibling->sibling) { 1464 ioc_rule->pcnt += sibling->pcnt; 1465 ioc_rule->bcnt += sibling->bcnt; 1466 if (sibling->timestamp > ioc_rule->timestamp) 1467 ioc_rule->timestamp = sibling->timestamp; 1468 #ifdef INVARIANTS 1469 ++i; 1470 #endif 1471 } 1472 1473 KASSERT(i == ncpus, ("static rule is not duplicated on every cpu")); 1474 1475 bcopy(rule->cmd, ioc_rule->cmd, ioc_rule->cmd_len * 4 /* XXX */); 1476 1477 return ((uint8_t *)ioc_rule + IOC_RULESIZE(ioc_rule)); 1478 } 1479 1480 static int 1481 ipfw_ctl_get_modules(struct sockopt *sopt) 1482 { 1483 int i; 1484 struct ipfw_module *mod; 1485 char module_str[1024]; 1486 memset(module_str,0,1024); 1487 for (i = 0, mod = ipfw_modules; i < MAX_MODULE; i++, mod++) { 1488 if (mod->type != 0) { 1489 if (i > 0) 1490 strcat(module_str,","); 1491 strcat(module_str,mod->name); 1492 } 1493 } 1494 bzero(sopt->sopt_val, sopt->sopt_valsize); 1495 bcopy(module_str, sopt->sopt_val, strlen(module_str)); 1496 sopt->sopt_valsize = strlen(module_str); 1497 return 0; 1498 } 1499 1500 /* 1501 * Copy all static rules and states on all CPU 1502 */ 1503 static int 1504 ipfw_ctl_get_rules(struct sockopt *sopt) 1505 { 1506 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1507 struct ipfw_state_context *state_ctx; 1508 struct ip_fw *rule; 1509 struct ip_fw_state *state; 1510 void *bp; 1511 size_t size; 1512 int i, j, state_count = 0; 1513 1514 size = static_ioc_len; 1515 for (i = 0; i < ncpus; i++) { 1516 for (j = 0; j < ctx->state_hash_size; j++) { 1517 state_ctx = &ipfw_ctx[i]->state_ctx[j]; 1518 state_count += state_ctx->count; 1519 } 1520 } 1521 if (state_count > 0) { 1522 size += state_count * sizeof(struct ipfw_ioc_state); 1523 } 1524 1525 if (sopt->sopt_valsize < size) { 1526 /* XXX TODO sopt_val is not big enough */ 1527 bzero(sopt->sopt_val, sopt->sopt_valsize); 1528 return 0; 1529 } 1530 1531 sopt->sopt_valsize = size; 1532 bp = sopt->sopt_val; 1533 1534 for (rule = ctx->ipfw_rule_chain; rule; rule = rule->next) { 1535 bp = ipfw_copy_rule(rule, bp); 1536 } 1537 if (state_count > 0 ) { 1538 for (i = 0; i < ncpus; i++) { 1539 for (j = 0; j < ctx->state_hash_size; j++) { 1540 state_ctx = &ipfw_ctx[i]->state_ctx[j]; 1541 state = state_ctx->state; 1542 while (state != NULL) { 1543 bp = ipfw_copy_state(state, bp, i); 1544 state = state->next; 1545 } 1546 } 1547 } 1548 } 1549 return 0; 1550 } 1551 1552 static void 1553 ipfw_set_disable_dispatch(netmsg_t nmsg) 1554 { 1555 struct lwkt_msg *lmsg = &nmsg->lmsg; 1556 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 1557 1558 ctx->ipfw_set_disable = lmsg->u.ms_result32; 1559 1560 ifnet_forwardmsg(lmsg, mycpuid + 1); 1561 } 1562 1563 static void 1564 ipfw_ctl_set_disable(uint32_t disable, uint32_t enable) 1565 { 1566 struct netmsg_base nmsg; 1567 struct lwkt_msg *lmsg; 1568 uint32_t set_disable; 1569 1570 /* IPFW_DEFAULT_SET is always enabled */ 1571 enable |= (1 << IPFW_DEFAULT_SET); 1572 set_disable = (ipfw_ctx[mycpuid]->ipfw_set_disable | disable) & ~enable; 1573 1574 bzero(&nmsg, sizeof(nmsg)); 1575 netmsg_init(&nmsg, NULL, &curthread->td_msgport, 1576 0, ipfw_set_disable_dispatch); 1577 lmsg = &nmsg.lmsg; 1578 lmsg->u.ms_result32 = set_disable; 1579 1580 ifnet_domsg(lmsg, 0); 1581 } 1582 1583 1584 /* 1585 * ipfw_ctl_x - extended version of ipfw_ctl 1586 * remove the x_header, and adjust the sopt_name,sopt_val and sopt_valsize. 1587 */ 1588 int 1589 ipfw_ctl_x(struct sockopt *sopt) 1590 { 1591 ip_fw_x_header *x_header; 1592 x_header = (ip_fw_x_header *)(sopt->sopt_val); 1593 sopt->sopt_name = x_header->opcode; 1594 sopt->sopt_valsize -= sizeof(ip_fw_x_header); 1595 bcopy(++x_header, sopt->sopt_val, sopt->sopt_valsize); 1596 return ipfw_ctl(sopt); 1597 } 1598 1599 1600 /** 1601 * {set|get}sockopt parser. 1602 */ 1603 static int 1604 ipfw_ctl(struct sockopt *sopt) 1605 { 1606 int error, rulenum; 1607 uint32_t *masks; 1608 size_t size; 1609 1610 error = 0; 1611 switch (sopt->sopt_name) { 1612 case IP_FW_X: 1613 ipfw_ctl_x(sopt); 1614 break; 1615 case IP_FW_GET: 1616 error = ipfw_ctl_get_rules(sopt); 1617 break; 1618 case IP_FW_MODULE: 1619 error = ipfw_ctl_get_modules(sopt); 1620 break; 1621 1622 case IP_FW_FLUSH: 1623 ipfw_ctl_flush_rule(0); 1624 break; 1625 1626 case IP_FW_ADD: 1627 error = ipfw_ctl_add_rule(sopt); 1628 break; 1629 1630 case IP_FW_DEL: 1631 /* 1632 * IP_FW_DEL is used for deleting single rules or sets, 1633 * and (ab)used to atomically manipulate sets. 1634 * Argument size is used to distinguish between the two: 1635 * sizeof(uint32_t) 1636 * delete single rule or set of rules, 1637 * or reassign rules (or sets) to a different set. 1638 * 2 * sizeof(uint32_t) 1639 * atomic disable/enable sets. 1640 * first uint32_t contains sets to be disabled, 1641 * second uint32_t contains sets to be enabled. 1642 */ 1643 masks = sopt->sopt_val; 1644 size = sopt->sopt_valsize; 1645 if (size == sizeof(*masks)) { 1646 /* 1647 * Delete or reassign static rule 1648 */ 1649 error = ipfw_ctl_alter(masks[0]); 1650 } else if (size == (2 * sizeof(*masks))) { 1651 /* 1652 * Set enable/disable 1653 */ 1654 ipfw_ctl_set_disable(masks[0], masks[1]); 1655 } else { 1656 error = EINVAL; 1657 } 1658 break; 1659 case IP_FW_ZERO: 1660 case IP_FW_RESETLOG: /* argument is an int, the rule number */ 1661 rulenum = 0; 1662 if (sopt->sopt_valsize != 0) { 1663 error = soopt_to_kbuf(sopt, &rulenum, 1664 sizeof(int), sizeof(int)); 1665 if (error) { 1666 break; 1667 } 1668 } 1669 error = ipfw_ctl_zero_entry(rulenum, 1670 sopt->sopt_name == IP_FW_RESETLOG); 1671 break; 1672 case IP_FW_NAT_CFG: 1673 error = ipfw_nat_cfg_ptr(sopt); 1674 break; 1675 case IP_FW_NAT_DEL: 1676 error = ipfw_nat_del_ptr(sopt); 1677 break; 1678 case IP_FW_NAT_FLUSH: 1679 error = ipfw_nat_flush_ptr(sopt); 1680 break; 1681 case IP_FW_NAT_GET: 1682 error = ipfw_nat_get_cfg_ptr(sopt); 1683 break; 1684 case IP_FW_NAT_LOG: 1685 error = ipfw_nat_get_log_ptr(sopt); 1686 break; 1687 case IP_DUMMYNET_GET: 1688 case IP_DUMMYNET_CONFIGURE: 1689 case IP_DUMMYNET_DEL: 1690 case IP_DUMMYNET_FLUSH: 1691 error = ip_dn_sockopt(sopt); 1692 break; 1693 case IP_FW_STATE_ADD: 1694 error = ipfw_ctl_add_state(sopt); 1695 break; 1696 case IP_FW_STATE_DEL: 1697 error = ipfw_ctl_delete_state(sopt); 1698 break; 1699 case IP_FW_STATE_FLUSH: 1700 error = ipfw_ctl_flush_state(sopt); 1701 break; 1702 default: 1703 kprintf("ipfw_ctl invalid option %d\n", 1704 sopt->sopt_name); 1705 error = EINVAL; 1706 } 1707 return error; 1708 } 1709 1710 static int 1711 ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) 1712 { 1713 struct ip_fw_args args; 1714 struct mbuf *m = *m0; 1715 struct m_tag *mtag; 1716 int tee = 0, error = 0, ret; 1717 // again: 1718 if (m->m_pkthdr.fw_flags & DUMMYNET_MBUF_TAGGED) { 1719 /* Extract info from dummynet tag */ 1720 mtag = m_tag_find(m, PACKET_TAG_DUMMYNET, NULL); 1721 KKASSERT(mtag != NULL); 1722 args.rule = ((struct dn_pkt *)m_tag_data(mtag))->dn_priv; 1723 KKASSERT(args.rule != NULL); 1724 1725 m_tag_delete(m, mtag); 1726 m->m_pkthdr.fw_flags &= ~DUMMYNET_MBUF_TAGGED; 1727 } else { 1728 args.rule = NULL; 1729 } 1730 1731 args.eh = NULL; 1732 args.oif = NULL; 1733 args.m = m; 1734 ret = ipfw_chk(&args); 1735 m = args.m; 1736 1737 if (m == NULL) { 1738 error = EACCES; 1739 goto back; 1740 } 1741 switch (ret) { 1742 case IP_FW_PASS: 1743 break; 1744 1745 case IP_FW_DENY: 1746 m_freem(m); 1747 m = NULL; 1748 error = EACCES; 1749 break; 1750 1751 case IP_FW_DUMMYNET: 1752 /* Send packet to the appropriate pipe */ 1753 ipfw_dummynet_io(m, args.cookie, DN_TO_IP_IN, &args); 1754 break; 1755 1756 case IP_FW_TEE: 1757 tee = 1; 1758 /* FALL THROUGH */ 1759 1760 case IP_FW_DIVERT: 1761 /* 1762 * Must clear bridge tag when changing 1763 */ 1764 m->m_pkthdr.fw_flags &= ~BRIDGE_MBUF_TAGGED; 1765 if (ip_divert_p != NULL) { 1766 m = ip_divert_p(m, tee, 1); 1767 } else { 1768 m_freem(m); 1769 m = NULL; 1770 /* not sure this is the right error msg */ 1771 error = EACCES; 1772 } 1773 break; 1774 1775 case IP_FW_NAT: 1776 break; 1777 case IP_FW_ROUTE: 1778 break; 1779 default: 1780 panic("unknown ipfw return value: %d", ret); 1781 } 1782 back: 1783 *m0 = m; 1784 return error; 1785 } 1786 1787 static int 1788 ipfw_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir) 1789 { 1790 struct ip_fw_args args; 1791 struct mbuf *m = *m0; 1792 struct m_tag *mtag; 1793 int tee = 0, error = 0, ret; 1794 // again: 1795 if (m->m_pkthdr.fw_flags & DUMMYNET_MBUF_TAGGED) { 1796 /* Extract info from dummynet tag */ 1797 mtag = m_tag_find(m, PACKET_TAG_DUMMYNET, NULL); 1798 KKASSERT(mtag != NULL); 1799 args.rule = ((struct dn_pkt *)m_tag_data(mtag))->dn_priv; 1800 KKASSERT(args.rule != NULL); 1801 1802 m_tag_delete(m, mtag); 1803 m->m_pkthdr.fw_flags &= ~DUMMYNET_MBUF_TAGGED; 1804 } else { 1805 args.rule = NULL; 1806 } 1807 1808 args.eh = NULL; 1809 args.m = m; 1810 args.oif = ifp; 1811 ret = ipfw_chk(&args); 1812 m = args.m; 1813 1814 if (m == NULL) { 1815 error = EACCES; 1816 goto back; 1817 } 1818 1819 switch (ret) { 1820 case IP_FW_PASS: 1821 break; 1822 1823 case IP_FW_DENY: 1824 m_freem(m); 1825 m = NULL; 1826 error = EACCES; 1827 break; 1828 1829 case IP_FW_DUMMYNET: 1830 ipfw_dummynet_io(m, args.cookie, DN_TO_IP_OUT, &args); 1831 break; 1832 1833 case IP_FW_TEE: 1834 tee = 1; 1835 /* FALL THROUGH */ 1836 1837 case IP_FW_DIVERT: 1838 if (ip_divert_p != NULL) { 1839 m = ip_divert_p(m, tee, 0); 1840 } else { 1841 m_freem(m); 1842 m = NULL; 1843 /* not sure this is the right error msg */ 1844 error = EACCES; 1845 } 1846 break; 1847 1848 case IP_FW_NAT: 1849 break; 1850 case IP_FW_ROUTE: 1851 break; 1852 default: 1853 panic("unknown ipfw return value: %d", ret); 1854 } 1855 back: 1856 *m0 = m; 1857 return error; 1858 } 1859 1860 static void 1861 ipfw_hook(void) 1862 { 1863 struct pfil_head *pfh; 1864 IPFW_ASSERT_CFGPORT(&curthread->td_msgport); 1865 1866 pfh = pfil_head_get(PFIL_TYPE_AF, AF_INET); 1867 if (pfh == NULL) 1868 return; 1869 1870 pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_MPSAFE, pfh); 1871 pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_MPSAFE, pfh); 1872 } 1873 1874 static void 1875 ipfw_dehook(void) 1876 { 1877 struct pfil_head *pfh; 1878 1879 IPFW_ASSERT_CFGPORT(&curthread->td_msgport); 1880 1881 pfh = pfil_head_get(PFIL_TYPE_AF, AF_INET); 1882 if (pfh == NULL) 1883 return; 1884 1885 pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN, pfh); 1886 pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT, pfh); 1887 } 1888 1889 static void 1890 ipfw_sysctl_enable_dispatch(netmsg_t nmsg) 1891 { 1892 struct lwkt_msg *lmsg = &nmsg->lmsg; 1893 int enable = lmsg->u.ms_result; 1894 1895 if (fw3_enable == enable) 1896 goto reply; 1897 1898 fw3_enable = enable; 1899 if (fw3_enable) 1900 ipfw_hook(); 1901 else 1902 ipfw_dehook(); 1903 1904 reply: 1905 lwkt_replymsg(lmsg, 0); 1906 } 1907 1908 static int 1909 ipfw_sysctl_enable(SYSCTL_HANDLER_ARGS) 1910 { 1911 struct netmsg_base nmsg; 1912 struct lwkt_msg *lmsg; 1913 int enable, error; 1914 1915 enable = fw3_enable; 1916 error = sysctl_handle_int(oidp, &enable, 0, req); 1917 if (error || req->newptr == NULL) 1918 return error; 1919 1920 netmsg_init(&nmsg, NULL, &curthread->td_msgport, 1921 0, ipfw_sysctl_enable_dispatch); 1922 lmsg = &nmsg.lmsg; 1923 lmsg->u.ms_result = enable; 1924 1925 return lwkt_domsg(IPFW_CFGPORT, lmsg, 0); 1926 } 1927 1928 static int 1929 ipfw_sysctl_autoinc_step(SYSCTL_HANDLER_ARGS) 1930 { 1931 return sysctl_int_range(oidp, arg1, arg2, req, 1932 IPFW_AUTOINC_STEP_MIN, IPFW_AUTOINC_STEP_MAX); 1933 } 1934 1935 1936 static void 1937 ipfw_ctx_init_dispatch(netmsg_t nmsg) 1938 { 1939 struct netmsg_ipfw *fwmsg = (struct netmsg_ipfw *)nmsg; 1940 struct ipfw_context *ctx; 1941 struct ip_fw *def_rule; 1942 1943 if (mycpuid == 0 ) { 1944 ipfw_nat_ctx = kmalloc(sizeof(struct ipfw_nat_context), 1945 M_IPFW3, M_WAITOK | M_ZERO); 1946 } 1947 1948 ctx = kmalloc(sizeof(struct ipfw_context), M_IPFW3, M_WAITOK | M_ZERO); 1949 ipfw_ctx[mycpuid] = ctx; 1950 1951 def_rule = kmalloc(sizeof(struct ip_fw), M_IPFW3, M_WAITOK | M_ZERO); 1952 def_rule->act_ofs = 0; 1953 def_rule->rulenum = IPFW_DEFAULT_RULE; 1954 def_rule->cmd_len = 2; 1955 def_rule->set = IPFW_DEFAULT_SET; 1956 1957 def_rule->cmd[0].len = LEN_OF_IPFWINSN; 1958 def_rule->cmd[0].module = MODULE_BASIC_ID; 1959 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT 1960 def_rule->cmd[0].opcode = O_BASIC_ACCEPT; 1961 #else 1962 if (filters_default_to_accept) 1963 def_rule->cmd[0].opcode = O_BASIC_ACCEPT; 1964 else 1965 def_rule->cmd[0].opcode = O_BASIC_DENY; 1966 #endif 1967 1968 /* Install the default rule */ 1969 ctx->ipfw_default_rule = def_rule; 1970 ctx->ipfw_rule_chain = def_rule; 1971 1972 /* 1973 * if sibiling in last CPU is exists, 1974 * then it's sibling should be current rule 1975 */ 1976 if (fwmsg->sibling != NULL) { 1977 fwmsg->sibling->sibling = def_rule; 1978 } 1979 /* prepare for next CPU */ 1980 fwmsg->sibling = def_rule; 1981 1982 /* Statistics only need to be updated once */ 1983 if (mycpuid == 0) 1984 ipfw_inc_static_count(def_rule); 1985 1986 ifnet_forwardmsg(&nmsg->lmsg, mycpuid + 1); 1987 } 1988 1989 static void 1990 ipfw_init_dispatch(netmsg_t nmsg) 1991 { 1992 struct netmsg_ipfw fwmsg; 1993 int error = 0; 1994 if (IPFW3_LOADED) { 1995 kprintf("IP firewall already loaded\n"); 1996 error = EEXIST; 1997 goto reply; 1998 } 1999 2000 bzero(&fwmsg, sizeof(fwmsg)); 2001 netmsg_init(&fwmsg.base, NULL, &curthread->td_msgport, 2002 0, ipfw_ctx_init_dispatch); 2003 ifnet_domsg(&fwmsg.base.lmsg, 0); 2004 2005 ip_fw_chk_ptr = ipfw_chk; 2006 ip_fw_ctl_x_ptr = ipfw_ctl_x; 2007 ip_fw_dn_io_ptr = ipfw_dummynet_io; 2008 2009 kprintf("ipfw3 initialized, default to %s, logging ", 2010 (int)(ipfw_ctx[mycpuid]->ipfw_default_rule->cmd[0].opcode) == 2011 O_BASIC_ACCEPT ? "accept" : "deny"); 2012 2013 #ifdef IPFIREWALL_VERBOSE 2014 fw_verbose = 1; 2015 #endif 2016 #ifdef IPFIREWALL_VERBOSE_LIMIT 2017 verbose_limit = IPFIREWALL_VERBOSE_LIMIT; 2018 #endif 2019 if (fw_verbose == 0) { 2020 kprintf("disabled "); 2021 } else if (verbose_limit == 0) { 2022 kprintf("unlimited "); 2023 } else { 2024 kprintf("limited to %d packets/entry by default ", 2025 verbose_limit); 2026 } 2027 kprintf("\n"); 2028 ip_fw3_loaded = 1; 2029 if (fw3_enable) 2030 ipfw_hook(); 2031 reply: 2032 lwkt_replymsg(&nmsg->lmsg, error); 2033 } 2034 2035 static int 2036 ipfw3_init(void) 2037 { 2038 struct netmsg_base smsg; 2039 init_module(); 2040 netmsg_init(&smsg, NULL, &curthread->td_msgport, 2041 0, ipfw_init_dispatch); 2042 return lwkt_domsg(IPFW_CFGPORT, &smsg.lmsg, 0); 2043 } 2044 2045 #ifdef KLD_MODULE 2046 2047 static void 2048 ipfw_fini_dispatch(netmsg_t nmsg) 2049 { 2050 int error = 0, cpu; 2051 2052 ip_fw3_loaded = 0; 2053 2054 ipfw_dehook(); 2055 netmsg_service_sync(); 2056 ip_fw_chk_ptr = NULL; 2057 ip_fw_ctl_x_ptr = NULL; 2058 ip_fw_dn_io_ptr = NULL; 2059 ipfw_ctl_flush_rule(1 /* kill default rule */); 2060 /* Free pre-cpu context */ 2061 for (cpu = 0; cpu < ncpus; ++cpu) { 2062 if (ipfw_ctx[cpu] != NULL) { 2063 kfree(ipfw_ctx[cpu], M_IPFW3); 2064 ipfw_ctx[cpu] = NULL; 2065 } 2066 } 2067 kfree(ipfw_nat_ctx,M_IPFW3); 2068 ipfw_nat_ctx = NULL; 2069 kprintf("IP firewall unloaded\n"); 2070 2071 lwkt_replymsg(&nmsg->lmsg, error); 2072 } 2073 2074 static int 2075 ipfw3_fini(void) 2076 { 2077 struct netmsg_base smsg; 2078 netmsg_init(&smsg, NULL, &curthread->td_msgport, 2079 0, ipfw_fini_dispatch); 2080 return lwkt_domsg(IPFW_CFGPORT, &smsg.lmsg, 0); 2081 } 2082 2083 #endif /* KLD_MODULE */ 2084 2085 static int 2086 ipfw3_modevent(module_t mod, int type, void *unused) 2087 { 2088 int err = 0; 2089 2090 switch (type) { 2091 case MOD_LOAD: 2092 err = ipfw3_init(); 2093 break; 2094 2095 case MOD_UNLOAD: 2096 2097 #ifndef KLD_MODULE 2098 kprintf("ipfw statically compiled, cannot unload\n"); 2099 err = EBUSY; 2100 #else 2101 err = ipfw3_fini(); 2102 #endif 2103 break; 2104 default: 2105 break; 2106 } 2107 return err; 2108 } 2109 2110 static moduledata_t ipfw3mod = { 2111 "ipfw3", 2112 ipfw3_modevent, 2113 0 2114 }; 2115 DECLARE_MODULE(ipfw3, ipfw3mod, SI_SUB_PROTO_END, SI_ORDER_ANY); 2116 MODULE_VERSION(ipfw3, 1); 2117