1 /* 2 * Copyright (c) 2014 The DragonFly Project. All rights reserved. 3 * 4 * This code is derived from software contributed to The DragonFly Project 5 * by Bill Yuan <bycn82@dragonflybsd.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * 3. Neither the name of The DragonFly Project nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific, prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/param.h> 36 #include <sys/kernel.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/socketvar.h> 40 #include <sys/sysctl.h> 41 #include <sys/systimer.h> 42 #include <sys/thread2.h> 43 44 #include <net/ethernet.h> 45 #include <net/netmsg2.h> 46 #include <net/netisr2.h> 47 #include <net/route.h> 48 49 #include <netinet/in_var.h> 50 #include <netinet/ip_var.h> 51 52 #include <net/ipfw3/ip_fw.h> 53 #include <net/ipfw3/ip_fw3_table.h> 54 55 #include "ip_fw3_layer2.h" 56 57 extern struct ipfw_context *ipfw_ctx[MAXCPU]; 58 59 void 60 check_layer2(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 61 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 62 { 63 *cmd_val = ((*args)->eh != NULL); 64 *cmd_ctl = IP_FW_CTL_NO; 65 } 66 67 void 68 check_mac(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 69 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 70 { 71 *cmd_ctl = IP_FW_CTL_NO; 72 if ((*args)->eh != NULL) { 73 uint32_t *want = (uint32_t *)((ipfw_insn_mac *)cmd)->addr; 74 uint32_t *mask = (uint32_t *)((ipfw_insn_mac *)cmd)->mask; 75 uint32_t *hdr = (uint32_t *)(*args)->eh; 76 *cmd_val = 77 (want[0] == (hdr[0] & mask[0]) && 78 want[1] == (hdr[1] & mask[1]) && 79 want[2] == (hdr[2] & mask[2])); 80 } else { 81 *cmd_val = IP_FW_NOT_MATCH; 82 } 83 } 84 85 void 86 check_mac_from(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 87 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 88 { 89 *cmd_ctl = IP_FW_CTL_NO; 90 if ((*args)->eh != NULL) { 91 uint16_t *want = (uint16_t *)((ipfw_insn_mac *)cmd)->addr; 92 uint16_t *mask = (uint16_t *)((ipfw_insn_mac *)cmd)->mask; 93 uint16_t *hdr = (uint16_t *)(*args)->eh; 94 *cmd_val = 95 (want[3] == (hdr[3] & mask[3]) && 96 want[4] == (hdr[4] & mask[4]) && 97 want[5] == (hdr[5] & mask[5])); 98 } else { 99 *cmd_val = IP_FW_NOT_MATCH; 100 } 101 } 102 103 void 104 check_mac_from_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 105 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 106 { 107 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 108 struct ipfw_table_context *table_ctx; 109 struct radix_node_head *rnh; 110 struct table_mac_entry *ent = NULL; 111 112 table_ctx = ctx->table_ctx; 113 table_ctx += cmd->arg1; 114 rnh = table_ctx->node; 115 116 *cmd_ctl = IP_FW_CTL_NO; 117 *cmd_val = IP_FW_NOT_MATCH; 118 if ((*args)->eh != NULL) { 119 struct sockaddr sa; 120 sa.sa_len = 8; 121 strncpy(sa.sa_data, (*args)->eh->ether_shost, 6); 122 ent = (struct table_mac_entry *)rnh->rnh_lookup((char *)&sa, 123 NULL, rnh); 124 if(ent != NULL) 125 *cmd_val = IP_FW_MATCH; 126 } 127 } 128 129 void 130 check_mac_to(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 131 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 132 { 133 *cmd_ctl = IP_FW_CTL_NO; 134 if ((*args)->eh != NULL) { 135 uint16_t *want = (uint16_t *)((ipfw_insn_mac *)cmd)->addr; 136 uint16_t *mask = (uint16_t *)((ipfw_insn_mac *)cmd)->mask; 137 uint16_t *hdr = (uint16_t *)(*args)->eh; 138 *cmd_val = 139 (want[0] == (hdr[0] & mask[0]) && 140 want[1] == (hdr[1] & mask[1]) && 141 want[2] == (hdr[2] & mask[2])); 142 } else { 143 *cmd_val = IP_FW_NOT_MATCH; 144 } 145 } 146 147 void 148 check_mac_to_lookup(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 149 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 150 { 151 struct ipfw_context *ctx = ipfw_ctx[mycpuid]; 152 struct ipfw_table_context *table_ctx; 153 struct radix_node_head *rnh; 154 struct table_mac_entry *ent = NULL; 155 156 table_ctx = ctx->table_ctx; 157 table_ctx += cmd->arg1; 158 rnh = table_ctx->node; 159 160 *cmd_ctl = IP_FW_CTL_NO; 161 *cmd_val = IP_FW_NOT_MATCH; 162 if ((*args)->eh != NULL) { 163 struct sockaddr sa; 164 sa.sa_len = 8; 165 strncpy(sa.sa_data, (*args)->eh->ether_dhost, 6); 166 ent = (struct table_mac_entry *)rnh->rnh_lookup((char *)&sa, 167 NULL, rnh); 168 if(ent != NULL) 169 *cmd_val = IP_FW_MATCH; 170 } 171 } 172 173 static int 174 ipfw3_layer2_init(void) 175 { 176 register_ipfw_module(MODULE_LAYER2_ID, MODULE_LAYER2_NAME); 177 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 178 O_LAYER2_LAYER2, (filter_func)check_layer2); 179 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 180 O_LAYER2_MAC, (filter_func)check_mac); 181 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 182 O_LAYER2_MAC_SRC, (filter_func)check_mac_from); 183 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 184 O_LAYER2_MAC_DST, (filter_func)check_mac_to); 185 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 186 O_LAYER2_MAC_SRC_LOOKUP, 187 (filter_func)check_mac_from_lookup); 188 register_ipfw_filter_funcs(MODULE_LAYER2_ID, 189 O_LAYER2_MAC_DST_LOOKUP, 190 (filter_func)check_mac_to_lookup); 191 return 0; 192 } 193 194 static int 195 ipfw3_layer2_stop(void) 196 { 197 return unregister_ipfw_module(MODULE_LAYER2_ID); 198 } 199 200 static int 201 ipfw3_layer2_modevent(module_t mod, int type, void *data) 202 { 203 switch (type) { 204 case MOD_LOAD: 205 return ipfw3_layer2_init(); 206 case MOD_UNLOAD: 207 return ipfw3_layer2_stop(); 208 default: 209 break; 210 } 211 return 0; 212 } 213 214 static moduledata_t ipfw3_layer2_mod = { 215 "ipfw3_layer2", 216 ipfw3_layer2_modevent, 217 NULL 218 }; 219 DECLARE_MODULE(ipfw3_layer2, ipfw3_layer2_mod, SI_SUB_PROTO_END, SI_ORDER_ANY); 220 MODULE_DEPEND(ipfw3_layer2, ipfw3_basic, 1, 1, 1); 221 MODULE_VERSION(ipfw3_layer2, 1); 222